Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PURCHASE ORDER.exe

Overview

General Information

Sample Name:PURCHASE ORDER.exe
Analysis ID:321194
MD5:8e2337f7cdd4bcd18e862b7a73734d49
SHA1:457de2e691794711d257ab9c6315d6f26465ce1a
SHA256:d30629a1a9aad3b8bc1e3827ab767473089214fd801b556f9ed3430f39bacbdd
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • PURCHASE ORDER.exe (PID: 6508 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
    • PURCHASE ORDER.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
      • dw20.exe (PID: 6732 cmdline: dw20.exe -x -s 2104 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6928 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6940 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • PURCHASE ORDER.exe (PID: 6532 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6524 7175453 MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
      • PURCHASE ORDER.exe (PID: 764 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
        • PURCHASE ORDER.exe (PID: 6952 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
          • dw20.exe (PID: 1112 cmdline: dw20.exe -x -s 2112 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 1236 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 3720 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • PURCHASE ORDER.exe (PID: 5552 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6952 7204953 MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
          • PURCHASE ORDER.exe (PID: 1396 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
            • PURCHASE ORDER.exe (PID: 5140 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
              • dw20.exe (PID: 5468 cmdline: dw20.exe -x -s 2304 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
            • PURCHASE ORDER.exe (PID: 3100 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5140 7233203 MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
              • PURCHASE ORDER.exe (PID: 5772 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
                • PURCHASE ORDER.exe (PID: 5076 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
                  • dw20.exe (PID: 4684 cmdline: dw20.exe -x -s 2272 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                  • vbc.exe (PID: 6536 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                  • vbc.exe (PID: 6312 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                • PURCHASE ORDER.exe (PID: 6660 cmdline: 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5076 7248218 MD5: 8E2337F7CDD4BCD18E862B7A73734D49)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b69c:$key: HawkEyeKeylogger
  • 0x7d8cc:$salt: 099u787978786
  • 0x7bcdd:$string1: HawkEye_Keylogger
  • 0x7cb1c:$string1: HawkEye_Keylogger
  • 0x7d82c:$string1: HawkEye_Keylogger
  • 0x7c0b2:$string2: holdermail.txt
  • 0x7c0d2:$string2: holdermail.txt
  • 0x7bff4:$string3: wallet.dat
  • 0x7c00c:$string3: wallet.dat
  • 0x7c022:$string3: wallet.dat
  • 0x7d3f0:$string4: Keylog Records
  • 0x7d708:$string4: Keylog Records
  • 0x7d924:$string5: do not script -->
  • 0x7b684:$string6: \pidloc.txt
  • 0x7b712:$string7: BSPLIT
  • 0x7b722:$string7: BSPLIT
00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd35:$hawkstr1: HawkEye Keylogger
        • 0x7cb62:$hawkstr1: HawkEye Keylogger
        • 0x7ce91:$hawkstr1: HawkEye Keylogger
        • 0x7cfec:$hawkstr1: HawkEye Keylogger
        • 0x7d14f:$hawkstr1: HawkEye Keylogger
        • 0x7d3c8:$hawkstr1: HawkEye Keylogger
        • 0x7b8c3:$hawkstr2: Dear HawkEye Customers!
        • 0x7cee4:$hawkstr2: Dear HawkEye Customers!
        • 0x7d03b:$hawkstr2: Dear HawkEye Customers!
        • 0x7d1a2:$hawkstr2: Dear HawkEye Customers!
        • 0x7b9e4:$hawkstr3: HawkEye Logger Details:
        Click to see the 198 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          38.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            39.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              7.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                34.2.PURCHASE ORDER.exe.2390000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                • 0x7b89c:$key: HawkEyeKeylogger
                • 0x7dacc:$salt: 099u787978786
                • 0x7bedd:$string1: HawkEye_Keylogger
                • 0x7cd1c:$string1: HawkEye_Keylogger
                • 0x7da2c:$string1: HawkEye_Keylogger
                • 0x7c2b2:$string2: holdermail.txt
                • 0x7c2d2:$string2: holdermail.txt
                • 0x7c1f4:$string3: wallet.dat
                • 0x7c20c:$string3: wallet.dat
                • 0x7c222:$string3: wallet.dat
                • 0x7d5f0:$string4: Keylog Records
                • 0x7d908:$string4: Keylog Records
                • 0x7db24:$string5: do not script -->
                • 0x7b884:$string6: \pidloc.txt
                • 0x7b912:$string7: BSPLIT
                • 0x7b922:$string7: BSPLIT
                Click to see the 142 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: PURCHASE ORDER.exe.5140.29.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                Multi AV Scanner detection for submitted fileShow sources
                Source: PURCHASE ORDER.exeVirustotal: Detection: 52%Perma Link
                Source: PURCHASE ORDER.exeReversingLabs: Detection: 54%
                Machine Learning detection for sampleShow sources
                Source: PURCHASE ORDER.exeJoe Sandbox ML: detected
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 34.2.PURCHASE ORDER.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.PURCHASE ORDER.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 34.2.PURCHASE ORDER.exe.680000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: PURCHASE ORDER.exeBinary or memory string: [autorun]
                Source: PURCHASE ORDER.exeBinary or memory string: autorun.inf
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00408A78 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00408A78 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49724 -> 166.62.27.57:587
                Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49740 -> 166.62.27.57:587
                Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49762 -> 166.62.27.57:587
                Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.5:49767 -> 166.62.27.57:587
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: global trafficTCP traffic: 192.168.2.5:49724 -> 166.62.27.57:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: Joe Sandbox ViewIP Address: 166.62.27.57 166.62.27.57
                Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                Source: global trafficTCP traffic: 192.168.2.5:49724 -> 166.62.27.57:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: vbc.exe, 00000008.00000002.268988191.00000000005CE000.00000004.00000040.sdmp, vbc.exe, 00000016.00000003.334066418.000000000095E000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.417414643.0000000000A0E000.00000004.00000001.sdmpString found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000008.00000002.268988191.00000000005CE000.00000004.00000040.sdmp, vbc.exe, 00000016.00000003.334066418.000000000095E000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.417414643.0000000000A0E000.00000004.00000001.sdmpString found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: PURCHASE ORDER.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: unknownDNS traffic detected: queries for: 194.167.4.0.in-addr.arpa
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: PURCHASE ORDER.exe, 00000002.00000003.243158322.000000000509D000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: PURCHASE ORDER.exe, 00000002.00000003.243348763.00000000050C5000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com(
                Source: PURCHASE ORDER.exe, 00000002.00000003.243348763.00000000050C5000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comu
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: PURCHASE ORDER.exe, PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.comx&
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: PURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaE
                Source: PURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasc
                Source: PURCHASE ORDER.exe, 00000002.00000003.248367150.00000000050A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                Source: PURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: PURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                Source: PURCHASE ORDER.exe, 00000002.00000003.248367150.00000000050A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comli
                Source: PURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: PURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueta
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.243270063.00000000050C5000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.245859149.000000000509E000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PURCHASE ORDER.exe, 00000002.00000003.245859149.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn-
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PURCHASE ORDER.exe, 00000002.00000003.244906268.00000000050A1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog
                Source: PURCHASE ORDER.exe, 00000002.00000003.244906268.00000000050A1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnayob
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                Source: PURCHASE ORDER.exe, 00000002.00000003.247452033.0000000005095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                Source: PURCHASE ORDER.exe, 00000002.00000003.247452033.0000000005095000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L
                Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
                Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0J(
                Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/al
                Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
                Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
                Source: PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/icro
                Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/L
                Source: PURCHASE ORDER.exe, 00000002.00000003.247116127.0000000005094000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ogra
                Source: PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                Source: PURCHASE ORDER.exe, 00000002.00000003.247116127.0000000005094000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                Source: PURCHASE ORDER.exe, 00000002.00000003.250146188.00000000050CD000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.249323990.00000000050CC000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                Source: PURCHASE ORDER.exe, 00000002.00000003.248147520.00000000050A4000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.g
                Source: vbc.exe, 00000026.00000002.413012282.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: PURCHASE ORDER.exe, 00000002.00000003.245788944.000000000509D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
                Source: PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;t
                Source: vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                Source: vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                Source: vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
                Source: vbc.exe, 00000008.00000002.268988191.00000000005CE000.00000004.00000040.sdmp, vbc.exe, 00000016.00000003.334066418.000000000095E000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.417414643.0000000000A0E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-yo
                Source: vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                Source: PURCHASE ORDER.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.384957063.0000000002FD7000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                Source: PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                Source: PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                Source: PURCHASE ORDER.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrom
                Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/st
                Source: vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.385013929.0000000002FF6000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004070F2 OpenClipboard,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00422CC4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00423308 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0045E108 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0045AACC NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0044F67C GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00433DC8 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0043FF18 NtdllDefWindowProc_A,GetCapture,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_00490159 NtCreateSection,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0045AACC NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0044F67C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00433DC8 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0043FF18 NtdllDefWindowProc_A,GetCapture,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004551A0
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0044F67C
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0040D426
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0040D523
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0041D5AE
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_00417646
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0040D6C4
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_004429BE
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_00446AF4
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0046ABFC
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_00463C4D
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_00463CBE
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0040ED03
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_00463D2F
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_00463DC0
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0040CF92
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0041AFA6
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0048F13D
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_00489976
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_004F9017
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_004F90A8
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_004A227A
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_004B028E
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0043C7BC
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_004551A0
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0044F67C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: String function: 00403648 appears 46 times
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: String function: 0044BA9D appears 35 times
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: String function: 00403A14 appears 62 times
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: String function: 0040674C appears 32 times
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: String function: 004043D8 appears 34 times
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: String function: 0040C464 appears 36 times
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: String function: 004043B4 appears 149 times
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2104
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000001.00000002.242724374.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exeBinary or memory string: OriginalFilename vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exeBinary or memory string: OriginalFileName vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000010.00000002.306231588.0000000002490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000012.00000002.359412017.0000000006F20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000012.00000002.354017933.00000000022C2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000013.00000002.362746743.00000000022A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 0000001E.00000002.394685072.00000000022B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000021.00000002.399331327.0000000002370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000021.00000002.400122887.0000000002802000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PURCHASE ORDER.exe
                Source: PURCHASE ORDER.exe, 00000022.00000002.443932118.0000000000887000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs PURCHASE ORDER.exe
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: PURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmpBinary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@44/23@20/3
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00420390 GetLastError,FormatMessageA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00408D0A GetDiskFreeSpaceA,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00416B24 FindResourceA,LoadResource,SizeofResource,LockResource,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A98.tmpJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: PURCHASE ORDER.exeVirustotal: Detection: 52%
                Source: PURCHASE ORDER.exeReversingLabs: Detection: 54%
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Users\user\Desktop\PURCHASE ORDER.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6524 7175453
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2104
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6952 7204953
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2112
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5140 7233203
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5076 7248218
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6524 7175453
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2104
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6952 7204953
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2112
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5140 7233203
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5076 7248218
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbHrs source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Users\user\Desktop\PURCHASE ORDER.PDB+ source: PURCHASE ORDER.exe, 00000022.00000002.444026054.0000000000920000.00000004.00000020.sdmp
                Source: Binary string: qt1wsymbols\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp
                Source: Binary string: yNqt1wsymbols\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb-uj source: PURCHASE ORDER.exe, 00000022.00000002.444000578.0000000000907000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292378043.0000000000768000.00000004.00000020.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444046847.000000000094A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdbP source: PURCHASE ORDER.exe, 0000001D.00000002.382476578.0000000000616000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PURCHASE ORDER.exe, 0000001D.00000002.382476578.0000000000616000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Users\user\Desktop\PURCHASE ORDER.PDBw source: PURCHASE ORDER.exe, 0000001D.00000002.389703160.000000000715A000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdbORDER.exe source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
                Source: Binary string: .pdb* source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbf source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbns\Desktop\PURCHASE ORDER.exe8 source: PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb_ source: PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: oC:\Windows\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: rlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbj source: PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: qt1wsymbols\dll\mscorlib.pdbx source: PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb, source: PURCHASE ORDER.exe, 00000022.00000002.444026054.0000000000920000.00000004.00000020.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PURCHASE ORDER.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359412017.0000000006F20000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp
                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: PURCHASE ORDER.exe, 00000002.00000002.300307949.0000000007EAA000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.390185626.0000000007A0A000.00000004.00000010.sdmp, PURCHASE ORDER.exe, 00000022.00000002.449878099.000000000778A000.00000004.00000010.sdmp
                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PURCHASE ORDER.exe, vbc.exe, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, vbc.exe, 00000015.00000002.325960552.0000000000400000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, vbc.exe, 00000026.00000002.413012282.0000000000400000.00000040.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbuK source: PURCHASE ORDER.exe, 00000022.00000002.444046847.000000000094A000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Users\user\Desktop\PURCHASE ORDER.PDBD source: PURCHASE ORDER.exe, 00000002.00000002.292378043.0000000000768000.00000004.00000020.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb@ source: PURCHASE ORDER.exe, 00000012.00000002.359719104.000000000788A000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: PURCHASE ORDER.exe, 00000002.00000002.292879995.0000000002515000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354355516.0000000002405000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.383760694.0000000002825000.00000004.00000040.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444900967.00000000025F5000.00000004.00000040.sdmp

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 2.2.PURCHASE ORDER.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 18.2.PURCHASE ORDER.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 29.2.PURCHASE ORDER.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 34.2.PURCHASE ORDER.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Detected unpacking (creates a PE file in dynamic memory)Show sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 2.2.PURCHASE ORDER.exe.2410000.3.unpack
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 34.2.PURCHASE ORDER.exe.2390000.3.unpack
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 2.2.PURCHASE ORDER.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 18.2.PURCHASE ORDER.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 29.2.PURCHASE ORDER.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeUnpacked PE file: 34.2.PURCHASE ORDER.exe.400000.0.unpack
                .NET source code contains potential unpackerShow sources
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00447320 push 004473ADh; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00426024 push 00426050h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00428038 push 00428064h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00466080 push 004660ACh; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0040C090 push 0040C20Ch; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0046C150 push 0046C1C6h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00450134 push 0045019Fh; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0040C20E push 0040C27Fh; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0040C210 push 0040C27Fh; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004482CC push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004262DC push 00426308h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0040C2EE push 0040C31Ch; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0040C2F0 push 0040C31Ch; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0041A288 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00410324 push 00410385h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00410388 push 00410589h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0042646C push 00426498h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0044856C push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00470574 push 004705A0h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0041058C push 004106D0h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0040660A push 0040665Dh; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0040660C push 0040665Dh; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004106A4 push 004106D0h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0043277C push 004327A8h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004067DC push 00406808h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004327EC push 00432818h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004327B4 push 004327E0h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0044884C push 00448878h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00406854 push 00406880h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0043285C push 00432888h; ret
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00432824 push 00432850h; ret

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Changes the view of files in windows explorer (hidden files and folders)Show sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_004415EC IsIconic,GetCapture,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_004415EC IsIconic,GetCapture,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Contains functionality to detect sleep reduction / modificationsShow sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00436808
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00436808
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile opened / queried: C:\Windows\system32\drivers\vmmouse.sys
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 180000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 180000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 180000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00436808
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6576Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6716Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6720Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6728Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 7076Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99891s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99797s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99687s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99437s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99344s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99250s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99141s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -99000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98891s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98797s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98687s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98594s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98500s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98344s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98250s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98141s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -98047s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -97937s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -97797s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -97687s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -97594s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -97500s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -97391s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -97250s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5644Thread sleep time: -97141s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6536Thread sleep count: 153 > 30
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 4572Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5380Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 1412Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 1268Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6740Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99906s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99797s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99656s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99453s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99343s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99250s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99156s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -99000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98906s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98797s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98656s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98406s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98297s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98203s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98093s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -98000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -97593s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -97500s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6340Thread sleep time: -97406s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5628Thread sleep count: 102 > 30
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5220Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5360Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5336Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5340Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 5008Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 4204Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 2072Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 248Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6592Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -99906s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -99797s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98859s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98750s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98656s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98406s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98297s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98203s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98109s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -98000s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97859s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97750s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97656s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97547s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97453s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97312s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97203s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97109s >= -30000s
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6172Thread sleep time: -97000s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00408A78 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00408A78 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00420920 GetSystemInfo,
                Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: PURCHASE ORDER.exe, 00000002.00000002.298858340.0000000007350000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358996033.0000000006730000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.389143637.0000000006870000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448831340.0000000006350000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: PURCHASE ORDER.exe, 00000022.00000002.443932118.0000000000887000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll//
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0048F412 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0048F4D0 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0048A746 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 2_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory protected: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                .NET source code references suspicious native API functionsShow sources
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Allocates memory in foreign processesShow sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Maps a DLL or memory area into another processShow sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: unknown target: C:\Users\user\Desktop\PURCHASE ORDER.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: unknown target: C:\Users\user\Desktop\PURCHASE ORDER.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: unknown target: C:\Users\user\Desktop\PURCHASE ORDER.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: unknown target: C:\Users\user\Desktop\PURCHASE ORDER.exe protection: execute and read and write
                Sample uses process hollowing techniqueShow sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2104
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2112
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetLocaleInfoA,GetACP,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetLocaleInfoA,GetACP,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00470848 GetSystemTime,ExitProcess,7378B110,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 1_2_00447320 GetVersion,
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: PURCHASE ORDER.exe, 00000001.00000002.242159647.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                Source: PURCHASE ORDER.exe, 00000002.00000002.292378043.0000000000768000.00000004.00000020.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444046847.000000000094A000.00000004.00000020.sdmpBinary or memory string: r\MsMpeng.exe
                Source: PURCHASE ORDER.exe, 00000022.00000002.444046847.000000000094A000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\PURCHASE ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.385013929.0000000002FF6000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE
                Yara detected MailPassViewShow sources
                Source: Yara matchFile source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.413012282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.264672646.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.325960552.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.356703266.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.385265608.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.446960963.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6536, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1236, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6928, type: MEMORY
                Source: Yara matchFile source: 38.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Tries to steal Instant Messenger accounts or passwordsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
                Yara detected WebBrowserPassView password recovery toolShow sources
                Source: Yara matchFile source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.356703266.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.385265608.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.446960963.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6312, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6940, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
                Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 39.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 39.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Detected HawkEye RatShow sources
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: PURCHASE ORDER.exeString found in binary or memory: HawkEyeKeylogger
                Source: PURCHASE ORDER.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
                Source: PURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
                Source: PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
                Source: PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9(r
                Source: PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9(r@~WA]sOS}SOZYQQSD666666666666666666666666666666666666666666666666|9(r@
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exe, 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmpString found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: (r'&HawkEye_Keylogger_Execution_Confirmed_
                Source: PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: (r#"HawkEye_Keylogger_Stealer_Records_
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.385013929.0000000002FF6000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5140, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5772, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6524, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5076, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6952, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 1396, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 6508, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 764, type: MEMORY
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2390000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.22f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.21b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2320000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2680000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.2280000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.2240000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.PURCHASE ORDER.exe.680000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.2410000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.ae0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.PURCHASE ORDER.exe.2290000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.PURCHASE ORDER.exe.2630000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.PURCHASE ORDER.exe.2720000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.PURCHASE ORDER.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PURCHASE ORDER.exe.b90000.2.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Replication Through Removable Media1Windows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery11Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture211Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsShared Modules1Logon Script (Windows)Process Injection511Obfuscated Files or Information21Credentials in Registry2Account Discovery1SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41Credentials In Files1File and Directory Discovery1Distributed Component Object ModelEmail Collection1Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery39SSHInput Capture211Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsQuery Registry1VNCClipboard Data3Exfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncSecurity Software Discovery1101Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion6Proc FilesystemVirtualization/Sandbox Evasion6Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection511/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingApplication Window Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskMasquerade Task or ServiceGUI Input CaptureSystem Network Configuration Discovery1Exploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321194 Sample: PURCHASE ORDER.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 75 mail.iigcest.com 2->75 77 194.167.4.0.in-addr.arpa 2->77 79 2 other IPs or domains 2->79 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 15 other signatures 2->113 14 PURCHASE ORDER.exe 2->14         started        signatures3 process4 signatures5 155 Maps a DLL or memory area into another process 14->155 17 PURCHASE ORDER.exe 14->17         started        19 PURCHASE ORDER.exe 15 6 14->19         started        process6 dnsIp7 23 PURCHASE ORDER.exe 17->23         started        87 mail.iigcest.com 166.62.27.57, 49724, 49740, 49762 AS-26496-GO-DADDY-COM-LLCUS United States 19->87 89 194.167.4.0.in-addr.arpa 19->89 91 2 other IPs or domains 19->91 123 Changes the view of files in windows explorer (hidden files and folders) 19->123 125 Writes to foreign memory regions 19->125 127 Allocates memory in foreign processes 19->127 129 3 other signatures 19->129 26 vbc.exe 1 19->26         started        28 vbc.exe 13 19->28         started        30 dw20.exe 22 6 19->30         started        signatures8 process9 signatures10 139 Maps a DLL or memory area into another process 23->139 32 PURCHASE ORDER.exe 23->32         started        34 PURCHASE ORDER.exe 6 23->34         started        141 Tries to steal Mail credentials (via file registry) 26->141 143 Tries to steal Instant Messenger accounts or passwords 26->143 145 Tries to steal Mail credentials (via file access) 26->145 process11 dnsIp12 38 PURCHASE ORDER.exe 32->38         started        81 mail.iigcest.com 34->81 83 194.167.4.0.in-addr.arpa 34->83 85 whatismyipaddress.com 34->85 115 Writes to foreign memory regions 34->115 117 Allocates memory in foreign processes 34->117 119 Sample uses process hollowing technique 34->119 121 2 other signatures 34->121 41 vbc.exe 34->41         started        43 dw20.exe 34->43         started        45 vbc.exe 34->45         started        signatures13 process14 signatures15 133 Maps a DLL or memory area into another process 38->133 47 PURCHASE ORDER.exe 38->47         started        49 PURCHASE ORDER.exe 38->49         started        135 Tries to steal Instant Messenger accounts or passwords 41->135 137 Tries to steal Mail credentials (via file access) 41->137 process16 dnsIp17 53 PURCHASE ORDER.exe 47->53         started        71 194.167.4.0.in-addr.arpa 49->71 73 whatismyipaddress.com 49->73 105 Installs a global keyboard hook 49->105 56 dw20.exe 49->56         started        signatures18 process19 signatures20 131 Maps a DLL or memory area into another process 53->131 58 PURCHASE ORDER.exe 53->58         started        62 PURCHASE ORDER.exe 53->62         started        process21 dnsIp22 93 mail.iigcest.com 58->93 95 194.167.4.0.in-addr.arpa 58->95 97 whatismyipaddress.com 58->97 147 Writes to foreign memory regions 58->147 149 Allocates memory in foreign processes 58->149 151 Sample uses process hollowing technique 58->151 153 2 other signatures 58->153 64 vbc.exe 58->64         started        67 vbc.exe 58->67         started        69 dw20.exe 58->69         started        signatures23 process24 signatures25 99 Tries to steal Instant Messenger accounts or passwords 64->99 101 Tries to steal Mail credentials (via file access) 64->101 103 Tries to harvest and steal browser information (history, passwords, etc) 67->103

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PURCHASE ORDER.exe53%VirustotalBrowse
                PURCHASE ORDER.exe54%ReversingLabsWin32.Trojan.LokiBot
                PURCHASE ORDER.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.2.PURCHASE ORDER.exe.2680000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.PURCHASE ORDER.exe.2680000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                18.1.PURCHASE ORDER.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                30.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                18.2.PURCHASE ORDER.exe.21b0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                33.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                16.2.PURCHASE ORDER.exe.2720000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                34.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                18.2.PURCHASE ORDER.exe.2240000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                18.2.PURCHASE ORDER.exe.2240000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                33.2.PURCHASE ORDER.exe.2780000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                33.2.PURCHASE ORDER.exe.2780000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                34.1.PURCHASE ORDER.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                29.2.PURCHASE ORDER.exe.2320000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.PURCHASE ORDER.exe.2320000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                35.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                34.2.PURCHASE ORDER.exe.2390000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.PURCHASE ORDER.exe.2390000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                29.1.PURCHASE ORDER.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                34.2.PURCHASE ORDER.exe.2280000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.PURCHASE ORDER.exe.2280000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                2.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                2.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                18.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                18.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                39.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                28.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                18.2.PURCHASE ORDER.exe.22f0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                18.2.PURCHASE ORDER.exe.22f0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                29.2.PURCHASE ORDER.exe.23b0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.PURCHASE ORDER.exe.23b0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                29.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                2.2.PURCHASE ORDER.exe.ae0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                16.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                19.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                34.2.PURCHASE ORDER.exe.680000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                16.2.PURCHASE ORDER.exe.2780000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                16.2.PURCHASE ORDER.exe.2780000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                8.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                3.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                2.2.PURCHASE ORDER.exe.b90000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                2.2.PURCHASE ORDER.exe.b90000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                22.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                28.2.PURCHASE ORDER.exe.2780000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                28.2.PURCHASE ORDER.exe.2780000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                2.1.PURCHASE ORDER.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                1.2.PURCHASE ORDER.exe.2630000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                1.2.PURCHASE ORDER.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                2.2.PURCHASE ORDER.exe.2410000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                2.2.PURCHASE ORDER.exe.2410000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                33.2.PURCHASE ORDER.exe.2720000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                29.2.PURCHASE ORDER.exe.2290000.1.unpack100%AviraTR/Inject.vcoldiDownload File

                Domains

                SourceDetectionScannerLabelLink
                mail.iigcest.com0%VirustotalBrowse
                194.167.4.0.in-addr.arpa0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/L0%Avira URL Cloudsafe
                http://www.monotype.g0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.comessed0%URL Reputationsafe
                http://www.fontbureau.comessed0%URL Reputationsafe
                http://www.fontbureau.comessed0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/~0%Avira URL Cloudsafe
                http://whatismyipaddress.comx&0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://fontfabrik.comu0%Avira URL Cloudsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Norm0%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0J(0%Avira URL Cloudsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.founder.com.cn/cnayob0%Avira URL Cloudsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.fontbureau.comasc0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/icro0%Avira URL Cloudsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.founder.com.cn/cnLog0%Avira URL Cloudsafe
                http://www.fontbureau.comueta0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/L0%Avira URL Cloudsafe
                https://whatismyipaddress.comx&0%Avira URL Cloudsafe
                http://www.fontbureau.comli0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/E0%Avira URL Cloudsafe
                http://en.wikipedia0%URL Reputationsafe
                http://en.wikipedia0%URL Reputationsafe
                http://en.wikipedia0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.fontbureau.comaE0%Avira URL Cloudsafe
                http://www.tiro.0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/al0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn-0%Avira URL Cloudsafe
                http://www.monotype.0%URL Reputationsafe
                http://www.monotype.0%URL Reputationsafe
                http://www.monotype.0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
                http://www.fontbureau.comm0%URL Reputationsafe
                http://www.fontbureau.comm0%URL Reputationsafe
                http://www.fontbureau.comm0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                whatismyipaddress.com
                		104.16.155.36
                		truefalse
                  		high
                  mail.iigcest.com
                  		166.62.27.57
                  		truetrueunknown
                  g.msn.com
                  		unknown
                  		unknownfalse
                    		high
                    194.167.4.0.in-addr.arpa
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://whatismyipaddress.com/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThePURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/jp/LPURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.monotype.gPURCHASE ORDER.exe, 00000002.00000003.248147520.00000000050A4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comPURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersPURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comessedPURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/~PURCHASE ORDER.exe, 00000002.00000003.247116127.0000000005094000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://whatismyipaddress.comx&PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.sajatypeworks.comPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cThePURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/8PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96evbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmpfalse
                                		high
                                http://fontfabrik.comuPURCHASE ORDER.exe, 00000002.00000003.243348763.00000000050C5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.269515866.00000000007EC000.00000004.00000020.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comcomPURCHASE ORDER.exe, 00000002.00000003.248367150.00000000050A2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://whatismyipaddress.com/-PURCHASE ORDER.exe, 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleasePURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Y0PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://login.yahoo.com/config/loginPURCHASE ORDER.exe, vbc.exefalse
                                      		high
                                      http://www.fonts.comPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.243270063.00000000050C5000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/NormPURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sandoll.co.krPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.site.com/logs.phpPURCHASE ORDER.exe, 0000001D.00000002.384284162.0000000002BFE000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpfalse
                                          		high
                                          https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.urwpp.deDPleasePURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/Y0J(PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.nirsoft.net/vbc.exe, 00000026.00000002.413012282.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmpfalse
                                              		high
                                              http://www.zhongyicts.com.cnPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnayobPURCHASE ORDER.exe, 00000002.00000003.244906268.00000000050A1000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&vbc.exe, 00000008.00000003.267880542.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000016.00000003.332376227.000000000219C000.00000004.00000001.sdmp, vbc.exe, 00000027.00000003.416901672.00000000021DC000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sakkal.comPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comascPURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/icroPURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://whatismyipaddress.com/PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                      		high
                                                      https://whatismyipaddress.comPURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.384957063.0000000002FD7000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comFPURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnLogPURCHASE ORDER.exe, 00000002.00000003.244906268.00000000050A1000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.comuetaPURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/LPURCHASE ORDER.exe, 00000002.00000003.247452033.0000000005095000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://whatismyipaddress.comx&PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://whatismyipaddress.comPURCHASE ORDER.exe, 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.384934808.0000000002FC2000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comliPURCHASE ORDER.exe, 00000002.00000003.248367150.00000000050A2000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/EPURCHASE ORDER.exe, 00000002.00000003.247452033.0000000005095000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://en.wikipediaPURCHASE ORDER.exe, 00000002.00000003.243158322.000000000509D000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/jp/PURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.comdPURCHASE ORDER.exe, 00000002.00000003.248731713.00000000050A2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.carterandcone.comlPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.comaEPURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.tiro.PURCHASE ORDER.exe, 00000002.00000003.245788944.000000000509D000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cnPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.245859149.000000000509E000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/frere-jones.htmlPURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/alPURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn-PURCHASE ORDER.exe, 00000002.00000003.245859149.000000000509E000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.monotype.PURCHASE ORDER.exe, 00000002.00000003.250146188.00000000050CD000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000002.00000003.249323990.00000000050CC000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/pPURCHASE ORDER.exe, 00000002.00000003.247612292.0000000005099000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.commPURCHASE ORDER.exe, 00000002.00000002.296461553.0000000005090000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/PURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/iPURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/ograPURCHASE ORDER.exe, 00000002.00000003.247116127.0000000005094000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers8PURCHASE ORDER.exe, 00000002.00000002.296611311.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000012.00000002.358229310.0000000005100000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 0000001D.00000002.386166114.0000000005240000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000022.00000002.448051007.0000000005100000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://fontfabrik.com(PURCHASE ORDER.exe, 00000002.00000003.243348763.00000000050C5000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		low
                                                                http://www.jiyu-kobo.co.jp/bPURCHASE ORDER.exe, 00000002.00000003.247344395.000000000509B000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                104.16.155.36
                                                                		unknownUnited States
                                                                		13335CLOUDFLARENETUSfalse
                                                                166.62.27.57
                                                                		unknownUnited States
                                                                		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                Private

                                                                IP
                                                                192.168.2.1

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                                Analysis ID:321194
                                                                Start date:20.11.2020
                                                                Start time:15:34:22
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 13m 51s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:PURCHASE ORDER.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:40
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.phis.troj.spyw.evad.winEXE@44/23@20/3
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 83.2% (good quality ratio 81.1%)
                                                                • Quality average: 84.8%
                                                                • Quality standard deviation: 24.2%
                                                                HCA Information:
                                                                • Successful, ratio: 87%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe
                                                                • TCP Packets have been reduced to 100
                                                                • Excluded IPs from analysis (whitelisted): 52.147.198.201, 40.88.32.150, 23.210.248.85, 51.104.139.180, 52.255.188.83, 51.103.5.186, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.194, 92.122.213.247
                                                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                15:35:26API Interceptor91x Sleep call for process: PURCHASE ORDER.exe modified
                                                                15:35:42API Interceptor4x Sleep call for process: dw20.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                104.16.155.36BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                INQUIRY.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                yk94P18VKp.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                NXmokFkh3R.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                qiGQsdRM57.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                NSSPH41vE5.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                2v7Vtqfo81.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                355OckuTD3.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                i7osF3yJYR.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                D71G6Z9M0O.exeGet hashmaliciousBrowse
                                                                • whatismyipaddress.com/
                                                                166.62.27.57BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                  INQUIRY.exeGet hashmaliciousBrowse
                                                                    X62RG9z7kY.exeGet hashmaliciousBrowse
                                                                      SWIFT100892220-PDF.exeGet hashmaliciousBrowse
                                                                        SWIFT0079111-pdf.exeGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          mail.iigcest.comBANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          INQUIRY.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          Vll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          x2rzwu7CQ3.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          X62RG9z7kY.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          SWIFT100892220-PDF.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          SWIFT0079111-pdf.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          AD1-2001328L_pdf.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          whatismyipaddress.comBANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36
                                                                          INQUIRY.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36
                                                                          Prueba de pago.exeGet hashmaliciousBrowse
                                                                          • 104.16.155.36
                                                                          879mgDuqEE.jarGet hashmaliciousBrowse
                                                                          • 66.171.248.178
                                                                          remittance1111.jarGet hashmaliciousBrowse
                                                                          • 66.171.248.178
                                                                          879mgDuqEE.jarGet hashmaliciousBrowse
                                                                          • 66.171.248.178
                                                                          remittance1111.jarGet hashmaliciousBrowse
                                                                          • 66.171.248.178
                                                                          https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                          • 66.171.248.178
                                                                          c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36
                                                                          mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                          • 104.16.155.36
                                                                          6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                          • 104.16.155.36
                                                                          jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                          • 104.16.155.36
                                                                          khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36
                                                                          ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36
                                                                          5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36
                                                                          8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36
                                                                          RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                          • 104.16.155.36
                                                                          9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36
                                                                          5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                          • 104.16.155.36
                                                                          M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                          • 104.16.154.36

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          CLOUDFLARENETUShttps://eagleeyeproduce-my.sharepoint.com/:o:/p/mckrayp/EtopxtQDn3pOqhvY4g_gG3ABKX9ornSoGNhGOLlXyaU89Q?e=Ee0wW2Get hashmaliciousBrowse
                                                                          • 104.16.19.94
                                                                          https://certified1.box.com/s/2ta9r7cyn5g09fblryd9xqqpnfxbjqejGet hashmaliciousBrowse
                                                                          • 104.16.19.94
                                                                          Report.464129889.docGet hashmaliciousBrowse
                                                                          • 104.28.21.160
                                                                          SecuriteInfo.com.Trojan.PWS.StealerNET.67.29498.exeGet hashmaliciousBrowse
                                                                          • 104.28.29.208
                                                                          http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                          • 104.18.27.190
                                                                          https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#Get hashmaliciousBrowse
                                                                          • 104.24.97.83
                                                                          https://hastebin.com/raw/xatuvoxixaGet hashmaliciousBrowse
                                                                          • 104.24.126.89
                                                                          https://bit.ly/35MTO80Get hashmaliciousBrowse
                                                                          • 104.31.69.156
                                                                          Order List.xlsxGet hashmaliciousBrowse
                                                                          • 104.24.122.89
                                                                          USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                          • 162.159.133.233
                                                                          Request for quotation.xlsxGet hashmaliciousBrowse
                                                                          • 172.67.181.41
                                                                          MV TBN.exeGet hashmaliciousBrowse
                                                                          • 104.28.5.151
                                                                          PO 20-11-2020.ppsGet hashmaliciousBrowse
                                                                          • 172.67.22.135
                                                                          Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                          • 1.1.1.1
                                                                          23prRlqeGr.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                          • 104.20.23.46
                                                                          RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                          • 104.20.22.46
                                                                          iG9YiwEMru.exeGet hashmaliciousBrowse
                                                                          • 104.27.132.115
                                                                          Avion Quotation Request.docGet hashmaliciousBrowse
                                                                          • 104.22.54.159
                                                                          SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
                                                                          • 172.67.131.55
                                                                          AS-26496-GO-DADDY-COM-LLCUSUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                          • 192.186.237.168
                                                                          BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                          • 198.71.232.3
                                                                          Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                          • 184.168.131.241
                                                                          MV.KMTC JEBEL ALI_pdf.exeGet hashmaliciousBrowse
                                                                          • 184.168.131.241
                                                                          PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                                                          • 184.168.131.241
                                                                          PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                          • 192.186.237.168
                                                                          http://homeschoolingteen.comGet hashmaliciousBrowse
                                                                          • 107.180.51.106
                                                                          http://p3nlhclust404.shr.prod.phx3.secureserver.netGet hashmaliciousBrowse
                                                                          • 72.167.191.65
                                                                          INQUIRY.exeGet hashmaliciousBrowse
                                                                          • 166.62.27.57
                                                                          moses.exeGet hashmaliciousBrowse
                                                                          • 148.66.138.196
                                                                          PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                                          • 184.168.131.241
                                                                          baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                          • 184.168.131.241
                                                                          https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                          • 107.180.26.71
                                                                          POSH XANADU Order-SP-20-V241e.xlsxGet hashmaliciousBrowse
                                                                          • 184.168.131.241
                                                                          https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                                                          • 198.71.233.138
                                                                          https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                                                          • 198.71.233.138
                                                                          anthony.exeGet hashmaliciousBrowse
                                                                          • 107.180.4.22
                                                                          https://sailingfloridakeys.com/Guarantee/Get hashmaliciousBrowse
                                                                          • 104.238.92.18
                                                                          oX3qPEgl5x.exeGet hashmaliciousBrowse
                                                                          • 198.71.232.3

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_purchase order.e_92d8e08de16268aa8cb7e98cbe71d84aa9135eb_00000000_043644b2\Report.wer
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):18538
                                                                          Entropy (8bit):3.7612741860684284
                                                                          Encrypted:false
                                                                          SSDEEP:192:M37TMi+VZjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sKS274It1:87T2jB7vqsSt/u7sKX4It1
                                                                          MD5:E155DAA9C56194B0A9A588D55B99532C
                                                                          SHA1:2FAE2B15FB320A1A01A8DBDBBD8A41C5E95553E7
                                                                          SHA-256:C77BA4C260975AE297BC00277CF33D2B1884E67A4FCB48B7DE159A7B3C44D9DD
                                                                          SHA-512:6D471E389082EEEC988344D1556821240D516F3EB75D2127935093F19A612F11AC68F6B622B5DFE8F5B41E93E9AF95EB714BE75EBF1EE02EAD3804463C5F06E1
                                                                          Malicious:false
                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.3.8.8.9.5.5.4.0.5.5.7.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.3.8.8.9.5.6.6.0.8.6.9.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.0.a.0.b.e.2.-.0.6.4.a.-.4.9.0.b.-.a.b.3.7.-.2.5.d.e.f.a.4.9.c.9.a.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.8.-.0.0.0.1.-.0.0.1.6.-.9.5.6.f.-.e.d.d.f.9.5.b.f.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.e.6.4.8.2.1.0.a.4.d.f.6.5.b.9.3.a.5.b.a.a.b.5.f.f.f.e.b.a.a.0.0.0.0.f.f.f.f.!.0.0.0.0.4.5.7.d.e.2.e.6.9.1.7.9.4.7.1.1.d.2.5.7.a.b.9.c.6.3.1.5.d.6.f.2.6.4.6.5.c.e.1.a.!.P.U.R.C.H.A.S.E. .O.R.D.E.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.P.U.R.C.H.A.S.E. .O.R.D.E.R...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.5.5.....I.s.
                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_purchase order.e_92d8e08de16268aa8cb7e98cbe71d84aa9135eb_00000000_1222ed66\Report.wer
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):18536
                                                                          Entropy (8bit):3.761301220538883
                                                                          Encrypted:false
                                                                          SSDEEP:192:Qe7VMi+VZjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7slS274ItT:l7V2jB7vqsSt/u7slX4ItT
                                                                          MD5:32F3FF00FA2CC344B1A388D72493F31B
                                                                          SHA1:A819FE301ED92583003E18631159B233FB1EA8A3
                                                                          SHA-256:ADA582DE12F13C70A83C82C21A1D1A95A2D0259C20C3F25854201684E56F23A2
                                                                          SHA-512:F60F0A005D9A5E26A11B06BB1896F36C7990D7A6D1BAFE6364FB5036653E9AA9A9B35B4A3DEF1EE433338303FAB967EFFC35772A43FE9A62CA477A65058A997F
                                                                          Malicious:false
                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.3.8.8.9.9.6.0.9.3.0.3.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.3.8.8.9.9.7.2.4.9.2.8.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.b.8.0.7.2.5.-.a.e.c.a.-.4.c.5.8.-.b.0.b.6.-.e.5.6.f.0.a.6.8.6.6.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.d.4.-.0.0.0.1.-.0.0.1.6.-.4.7.c.0.-.7.5.f.9.9.5.b.f.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.e.6.4.8.2.1.0.a.4.d.f.6.5.b.9.3.a.5.b.a.a.b.5.f.f.f.e.b.a.a.0.0.0.0.f.f.f.f.!.0.0.0.0.4.5.7.d.e.2.e.6.9.1.7.9.4.7.1.1.d.2.5.7.a.b.9.c.6.3.1.5.d.6.f.2.6.4.6.5.c.e.1.a.!.P.U.R.C.H.A.S.E. .O.R.D.E.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.P.U.R.C.H.A.S.E. .O.R.D.E.R...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.7.1.....I.s.
                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_purchase order.e_92d8e08de16268aa8cb7e98cbe71d84aa9135eb_00000000_15327d85\Report.wer
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):18538
                                                                          Entropy (8bit):3.7609687340074123
                                                                          Encrypted:false
                                                                          SSDEEP:192:gc3O7rMi+VZjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7slS274ItB:pe7r2jB7vqsSt/u7slX4ItB
                                                                          MD5:92D85D669290DB026D73199633BD7961
                                                                          SHA1:963AAE602E439518BEA07147D50CAC8A40417583
                                                                          SHA-256:37ABE930977B082023DD22B6CDD8E2AC129F53C7B1E4E12011736CD540170A92
                                                                          SHA-512:F6A83ABCAF757F9FE7C7252E43F1CDD16A8BC9949EBB7EA35DA8BACB1C17BD0AC627A3DDCC48A6AB033DEC78E59B8EB640D3EB6A0C2378081670A1002F9FE858
                                                                          Malicious:false
                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.3.8.8.9.8.2.9.5.2.4.2.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.3.8.8.9.8.4.0.4.6.1.7.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.d.e.0.5.9.b.-.c.6.e.7.-.4.d.7.4.-.8.6.1.4.-.4.b.8.6.a.1.a.f.7.6.b.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.1.4.-.0.0.0.1.-.0.0.1.6.-.1.7.a.d.-.a.7.f.0.9.5.b.f.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.e.6.4.8.2.1.0.a.4.d.f.6.5.b.9.3.a.5.b.a.a.b.5.f.f.f.e.b.a.a.0.0.0.0.f.f.f.f.!.0.0.0.0.4.5.7.d.e.2.e.6.9.1.7.9.4.7.1.1.d.2.5.7.a.b.9.c.6.3.1.5.d.6.f.2.6.4.6.5.c.e.1.a.!.P.U.R.C.H.A.S.E. .O.R.D.E.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.P.U.R.C.H.A.S.E. .O.R.D.E.R...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.6.6.....I.s.
                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_purchase order.e_92d8e08de16268aa8cb7e98cbe71d84aa9135eb_00000000_1a21d946\Report.wer
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):18538
                                                                          Entropy (8bit):3.761230444421508
                                                                          Encrypted:false
                                                                          SSDEEP:192:nUrR75Mi+VZjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sKS274ItZ:niR752jB7vqsSt/u7sKX4ItZ
                                                                          MD5:553002124FDAD004DAEE206882E6183D
                                                                          SHA1:EF5FEB462E2BDB237CF5C68AB03BF33F71AE7F2E
                                                                          SHA-256:4EC2699B59D4B60EE73DCEC1CD1C3274456F30D410ABC8B87E2D4DB6BCDDF9DF
                                                                          SHA-512:22EF2C8B1B504AB1AC8C152BFE5760DBDC0D97A8533EC1F23588D3F98B8F2348BEC0091B868872B1E096637EAC7DA10EC3B42698324D4C8E285997AF55A22A72
                                                                          Malicious:false
                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.3.8.8.9.2.6.9.0.5.6.0.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.3.8.8.9.2.8.2.0.2.4.7.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.5.5.f.2.8.b.-.c.b.e.9.-.4.f.5.d.-.9.3.6.b.-.f.c.5.4.e.b.c.c.8.8.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.7.c.-.0.0.0.1.-.0.0.1.6.-.c.f.d.3.-.5.c.c.e.9.5.b.f.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.a.e.6.4.8.2.1.0.a.4.d.f.6.5.b.9.3.a.5.b.a.a.b.5.f.f.f.e.b.a.a.0.0.0.0.f.f.f.f.!.0.0.0.0.4.5.7.d.e.2.e.6.9.1.7.9.4.7.1.1.d.2.5.7.a.b.9.c.6.3.1.5.d.6.f.2.6.4.6.5.c.e.1.a.!.P.U.R.C.H.A.S.E. .O.R.D.E.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.P.U.R.C.H.A.S.E. .O.R.D.E.R...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.3.9.....I.s.
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER75B5.tmp.WERInternalMetadata.xml
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):5670
                                                                          Entropy (8bit):3.725613373922266
                                                                          Encrypted:false
                                                                          SSDEEP:96:RtIU6o7r3GLt3i9+c6UURmYXtYZRuvUubSfyIgDyyBCaM11G01fYHHm:Rrl7r3GLNi0c6rmoYZRuvUubSeCp117l
                                                                          MD5:66A95A99203A9BEB19706F064BB3DC13
                                                                          SHA1:847E3E21815F44DD562403298741AD8D89C466B0
                                                                          SHA-256:ABF2579673D7F259C68ADF574CCB6340F0D3324EF8CA1743C5B5F6A9AF93A5DD
                                                                          SHA-512:0641DB62BFEF36A5531EDDB2A333FDD2FA0CCB9792C459611DE4BF7A854DC6FE98668294EE7DA7660A38DAA3AE8677C4944880B03E6BCFB5F4C321BAB61CA758
                                                                          Malicious:false
                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.4.0.<./.P.i.d.>.......
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7681.tmp.xml
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4637
                                                                          Entropy (8bit):4.466098112221119
                                                                          Encrypted:false
                                                                          SSDEEP:48:cvIwSD8zsSJgtWI9zjvWSC8Bv8fm8M4JFK87Fo+q8v3rBY/v4zMd:uITfgE+SNOJFKdK7BY/veMd
                                                                          MD5:DC70FB9A306A1644A1EB1F8DA23045B0
                                                                          SHA1:90005CBC2F21E7029A8F1CC07D3D80D8EBB16C1F
                                                                          SHA-256:54F810B4968CBF0822246005C182AE42F6B83A8392B5A04BE07D5FBFEBA78E4A
                                                                          SHA-512:D4B09E4EBB5AA5256104619AE7804C84BEEA22C39BF5E98464D7F4A5CF0D01CFD08129BECBDF8391C2D60CE0C0E86665ACA516FAFC6B39D8264BCEE702356BCA
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="737807" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A98.tmp.WERInternalMetadata.xml
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):7634
                                                                          Entropy (8bit):3.6961497902166736
                                                                          Encrypted:false
                                                                          SSDEEP:192:Rrl7r3GLNixl62k6YZN6ZgmfZRuvUubSeCp1bnk1fzJm:RrlsNiT616YT6ZgmfWvvbSHbnOfA
                                                                          MD5:CA2B30B7EA227772540799255417545E
                                                                          SHA1:8E0C4B5C82194EEF078B159D6A7E98D48269EB37
                                                                          SHA-256:9A090539965E65A028FFA43C2E37ACD331AC627EE374F5723D71DEDF56C96315
                                                                          SHA-512:26364668BE2C0B864B6B6B5D30812F48A84903432BBB44FBC41BDF921690BA9D44627C441CC5B1C2002AA64CE630609490DB6457416B3883680B41E0C69A4BE4
                                                                          Malicious:false
                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.2.4.<./.P.i.d.>.......
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B35.tmp.xml
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4637
                                                                          Entropy (8bit):4.468657512838299
                                                                          Encrypted:false
                                                                          SSDEEP:48:cvIwSD8zsZJgtWI9zjvWSC8BF8fm8M4JFK87Ft+q8v3SjY/v4zsd:uITfrE+SNMJFK4KIY/vesd
                                                                          MD5:5D07C996276098B247DC50666D46E784
                                                                          SHA1:D9285F7FEBF09F8EEB7CC216C9AFAD2085C447C4
                                                                          SHA-256:0DC16259F4435AF5927F7362859B1EAD065BE6BB08FEC755F8E94D9FB5D7C962
                                                                          SHA-512:62269688E80BEAB0EBD09B09FE0FD2D99CDFDB99AD8E9404C003C2DCAD12AC9FE91E154A44658C29E8A6E0E84D477D31B4D0C164C87D96B3ED22DFCD83742CEF
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="737806" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA49.tmp.WERInternalMetadata.xml
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):5670
                                                                          Entropy (8bit):3.728857484284284
                                                                          Encrypted:false
                                                                          SSDEEP:96:RtIU6o7r3GLt3il+f6C6rYZRuvUubSfyIgDyyBCaM1nz1feWtm:Rrl7r3GLNicf6frYZRuvUubSeCp1nz1i
                                                                          MD5:7C44EF98856EAF72430447C00DE7EFB8
                                                                          SHA1:511DD1C5AB91F35B5F9FE3B29420421D01851634
                                                                          SHA-256:C0A929C728D7F663C7D7112E6C7CB71D377407A52C79F1C2523879C75F1E34E8
                                                                          SHA-512:7F076795F77976B16035E4D3F2AC946131EFA8B3BA156CA222091973705D0C6AF9878E7E8F7F08B641CCEB4FBF764D128B2A4070098CF523BEB13187B270DCCB
                                                                          Malicious:false
                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.5.2.<./.P.i.d.>.......
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA968.tmp.WERInternalMetadata.xml
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):5670
                                                                          Entropy (8bit):3.7286695574052597
                                                                          Encrypted:false
                                                                          SSDEEP:96:RtIU6o7r3GLt3ih+m6E/rYZRuvUubSfyIgDyyBCaM15B1f3zm:Rrl7r3GLNiYm6KrYZRuvUubSeCp15B1i
                                                                          MD5:B7841460606C8E356254549E96EA26C6
                                                                          SHA1:B99721423941373D53910731A608944DDDAEA6FF
                                                                          SHA-256:0FCB07A62695F96C266583A67291FAA27EE71820FC7FE255A11CEF250568E3EC
                                                                          SHA-512:CE29827049F3CA4504738155E94F402763633B4CE62E6769286D26A3BAA1BFF8CDC45BE08B87D72FEB77E27F3EFBAB87D5029932D2AC57ED14703F83AC072E60
                                                                          Malicious:false
                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.7.6.<./.P.i.d.>.......
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA05.tmp.xml
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4637
                                                                          Entropy (8bit):4.466997292433701
                                                                          Encrypted:false
                                                                          SSDEEP:48:cvIwSD8zsSJgtWI9zjvWSC8B28fm8M4JFK87FgY+q8v3EIY/v4zgd:uITfgE+SNpJFKvYKHY/vegd
                                                                          MD5:462D0CF1592ACF65F115D8F452325A51
                                                                          SHA1:90AF2EA36190B1A8294314BB64B1718299ADB1E8
                                                                          SHA-256:6BC87AEB273F0E6DF4CC2068AEF86CAF0F5D90A7791C45FD7DC373836BCAE818
                                                                          SHA-512:476A0E70A1F8899B41129857AFD053BDAF49EE677E09A9FEC6EFF2B8A858148E1912FC44F290067300ABA909B6673C6403905C26B2ECA332674E950803DF6A9A
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="737807" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB83.tmp.xml
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4637
                                                                          Entropy (8bit):4.466102726687347
                                                                          Encrypted:false
                                                                          SSDEEP:48:cvIwSD8zsZJgtWI9zjvWSC8BnL8fm8M4JFK87Fj+q8v30Y/v4z2d:uITfrE+SNyJFKuKkY/ve2d
                                                                          MD5:EDD1DDE8D91F253E3171462003970850
                                                                          SHA1:F45BCBD24F14E6A5A1BA66CBDA602C1933234726
                                                                          SHA-256:2358DD0EE4F13F747AABCF5B0936EB6588B81EC7B76F0282AC7520C2FF8B09E8
                                                                          SHA-512:3473AC6A4CF4A494903019E22AD8E90541D6152B55A1ADDAFACA125CADD017DA3B782F488AEED4BBD6BFD1B8D445ADF99163C0593AF124E5C8083B0918281E6C
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="737806" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                          C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):2
                                                                          Entropy (8bit):1.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Qn:Qn
                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                          Malicious:false
                                                                          Preview: ..
                                                                          C:\Users\user\AppData\Roaming\pid.txt
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):2.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Ag:Ag
                                                                          MD5:4A64D913220FCA4C33C140C6952688A8
                                                                          SHA1:6E17D48D70083E4BCB0E1B2335AD62C94F2204AF
                                                                          SHA-256:71181F5D23343D7DB98F90AED3499D8C2A23131B3151CC66C4591918DFC09ACC
                                                                          SHA-512:E29AF08FD7C5AD519F2DE2137DF95B77FF41306E3B5DDABA2ADD8C75AC54AB6FEE3E05C2792429D66BB72B2620EF5097A7DBC3C69459907543B81704BDFB6069
                                                                          Malicious:false
                                                                          Preview: 5076
                                                                          C:\Users\user\AppData\Roaming\pidloc.txt
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):42
                                                                          Entropy (8bit):4.469582006060583
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNUWJRW1wNgg3Jn:oNNJA6Ngg3J
                                                                          MD5:6D2242307451E9E440AF62BB1BA24799
                                                                          SHA1:CF6B565F218D3DE0086724128957C2C384190C9A
                                                                          SHA-256:9166215B6AA36EFDABC32D2F4CE66B0084973FF3E2F77FE2477FA5A5BD73F852
                                                                          SHA-512:93E4D51B3DA65057380F97039583D112A18A347B782DA4AF6D4F5C1839F00C8D0633C8E1470794B0B12D58FD579A33CE098C189AE732B49F616D270344DAE994
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\Desktop\PURCHASE ORDER.exe

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):6.987045896881915
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                          • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          File name:PURCHASE ORDER.exe
                                                                          File size:973824
                                                                          MD5:8e2337f7cdd4bcd18e862b7a73734d49
                                                                          SHA1:457de2e691794711d257ab9c6315d6f26465ce1a
                                                                          SHA256:d30629a1a9aad3b8bc1e3827ab767473089214fd801b556f9ed3430f39bacbdd
                                                                          SHA512:7cf93e3fb60f69895a23fd8537e36394779a7a8307091691006e56ec3465d57ecfcb854327acfcf0b184e126a1bf8e6994234155e5ce020caa4bd66fe01c597b
                                                                          SSDEEP:24576:Vwz1Kx2k3T0jZGOL7JLBiWgpLW0obEI2PUSuoebNh2bK39:VwKxz3ewuPgFW0eE7Uu/bw9
                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                          File Icon

                                                                          Icon Hash:ecccacacccec70a2

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x470d00
                                                                          Entrypoint Section:CODE
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                          DLL Characteristics:
                                                                          Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:429b4d8f1079c5bb87cad5efdb4eabf0

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          add esp, FFFFFFF0h
                                                                          mov eax, 00470B08h
                                                                          call 00007F48F0D44C5Dh
                                                                          mov eax, dword ptr [00489FACh]
                                                                          mov eax, dword ptr [eax]
                                                                          call 00007F48F0D99C85h
                                                                          mov ecx, dword ptr [0048A0A4h]
                                                                          mov eax, dword ptr [00489FACh]
                                                                          mov eax, dword ptr [eax]
                                                                          mov edx, dword ptr [004705ACh]
                                                                          call 00007F48F0D99C85h
                                                                          mov eax, dword ptr [00489FACh]
                                                                          mov eax, dword ptr [eax]
                                                                          call 00007F48F0D99CF9h
                                                                          call 00007F48F0D42754h
                                                                          lea eax, dword ptr [eax+00h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8c0000x2496.idata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x990000x5a2ac.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x910000x7b70.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x900000x18.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          CODE0x10000x6fd480x6fe00False0.517266061453data6.51621253086IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          DATA0x710000x191300x19200False0.189841806592data2.85009273727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                          BSS0x8b0000xcb10x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                          .idata0x8c0000x24960x2600False0.352796052632data4.9419643729IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                          .tls0x8f0000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x900000x180x200False0.048828125data0.186582516435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                          .reloc0x910000x7b700x7c00False0.575321320565data6.64623366609IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x990000x5a2ac0x5a400False0.904878484245data7.5640335424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_CURSOR0x99e900x134data
                                                                          RT_CURSOR0x99fc40x134data
                                                                          RT_CURSOR0x9a0f80x134data
                                                                          RT_CURSOR0x9a22c0x134data
                                                                          RT_CURSOR0x9a3600x134data
                                                                          RT_CURSOR0x9a4940x134data
                                                                          RT_CURSOR0x9a5c80x134data
                                                                          RT_BITMAP0x9a6fc0x1d0data
                                                                          RT_BITMAP0x9a8cc0x1e4data
                                                                          RT_BITMAP0x9aab00x1d0data
                                                                          RT_BITMAP0x9ac800x1d0data
                                                                          RT_BITMAP0x9ae500x1d0data
                                                                          RT_BITMAP0x9b0200x1d0data
                                                                          RT_BITMAP0x9b1f00x1d0data
                                                                          RT_BITMAP0x9b3c00x1d0data
                                                                          RT_BITMAP0x9b5900x53511dataEnglishUnited States
                                                                          RT_BITMAP0xeeaa40x1d0data
                                                                          RT_BITMAP0xeec740xc0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xeed340xd8data
                                                                          RT_BITMAP0xeee0c0xe0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xeeeec0xe0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xeefcc0xe0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xef0ac0xc0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xef16c0xc0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xef22c0xe0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xef30c0xd8data
                                                                          RT_BITMAP0xef3e40xd8data
                                                                          RT_BITMAP0xef4bc0xc0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xef57c0xd8data
                                                                          RT_BITMAP0xef6540xe0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xef7340xd8data
                                                                          RT_BITMAP0xef80c0xe8GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xef8f40xc0GLS_BINARY_LSB_FIRST
                                                                          RT_BITMAP0xef9b40xe0GLS_BINARY_LSB_FIRST
                                                                          RT_ICON0xefa940x8a8dataEnglishUnited States
                                                                          RT_DIALOG0xf033c0x52data
                                                                          RT_STRING0xf03900x194data
                                                                          RT_STRING0xf05240x2b0data
                                                                          RT_STRING0xf07d40xdcdata
                                                                          RT_STRING0xf08b00x17cdata
                                                                          RT_STRING0xf0a2c0x1f0data
                                                                          RT_STRING0xf0c1c0x4acdata
                                                                          RT_STRING0xf10c80x39cdata
                                                                          RT_STRING0xf14640x378data
                                                                          RT_STRING0xf17dc0x418data
                                                                          RT_STRING0xf1bf40xf4data
                                                                          RT_STRING0xf1ce80xc4data
                                                                          RT_STRING0xf1dac0x2e0data
                                                                          RT_STRING0xf208c0x35cdata
                                                                          RT_STRING0xf23e80x2b4data
                                                                          RT_RCDATA0xf269c0x10data
                                                                          RT_RCDATA0xf26ac0x280data
                                                                          RT_RCDATA0xf292c0x841Delphi compiled form 'TForm1'
                                                                          RT_GROUP_CURSOR0xf31700x14Lotus unknown worksheet or configuration, revision 0x1
                                                                          RT_GROUP_CURSOR0xf31840x14Lotus unknown worksheet or configuration, revision 0x1
                                                                          RT_GROUP_CURSOR0xf31980x14Lotus unknown worksheet or configuration, revision 0x1
                                                                          RT_GROUP_CURSOR0xf31ac0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                          RT_GROUP_CURSOR0xf31c00x14Lotus unknown worksheet or configuration, revision 0x1
                                                                          RT_GROUP_CURSOR0xf31d40x14Lotus unknown worksheet or configuration, revision 0x1
                                                                          RT_GROUP_CURSOR0xf31e80x14Lotus unknown worksheet or configuration, revision 0x1
                                                                          RT_GROUP_ICON0xf31fc0x14dataEnglishUnited States
                                                                          RT_HTML0xf32100x99dataEnglishUnited States

                                                                          Imports

                                                                          DLLImport
                                                                          kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                          user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                          oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                          kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                          kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                          mpr.dllWNetGetConnectionA
                                                                          gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                          user32.dllWindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                          kernel32.dllSleep
                                                                          oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                          comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                          kernel32.dllMulDiv

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          11/20/20-15:35:41.173626TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49724587192.168.2.5166.62.27.57
                                                                          11/20/20-15:36:11.928255TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49740587192.168.2.5166.62.27.57
                                                                          11/20/20-15:36:51.085077TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49762587192.168.2.5166.62.27.57
                                                                          11/20/20-15:37:20.113019TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49767587192.168.2.5166.62.27.57

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 20, 2020 15:35:26.493499041 CET4971380192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.509938955 CET8049713104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.510598898 CET4971380192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.510627031 CET4971380192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.526922941 CET8049713104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.551008940 CET8049713104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.592200041 CET4971380192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.602325916 CET49714443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.618752956 CET44349714104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.618880987 CET49714443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.662209034 CET49714443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.678555965 CET44349714104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.678955078 CET44349714104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.679054976 CET44349714104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.679136038 CET49714443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.689137936 CET49714443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.693531036 CET49715443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.705611944 CET44349714104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.709882975 CET44349715104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.710000992 CET49715443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.711369038 CET49715443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.727734089 CET44349715104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.730894089 CET44349715104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.731041908 CET44349715104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:26.731106043 CET49715443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.731822968 CET49715443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:26.748169899 CET44349715104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:38.636918068 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:38.917947054 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:38.918087006 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:39.467190027 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:39.467962980 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:39.749670982 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:39.750130892 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:40.031795025 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:40.032147884 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:40.325931072 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:40.326431990 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:40.608051062 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:40.608349085 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:40.891452074 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:40.891730070 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:41.172852993 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:41.172899008 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:41.173625946 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:41.173666000 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:41.173741102 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:41.173904896 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:41.173923969 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:41.174180984 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:41.455326080 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:41.455355883 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:41.472999096 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:41.484783888 CET58749724166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:35:41.531816006 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:48.427588940 CET4971380192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:48.427895069 CET49724587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:35:54.901406050 CET4972880192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:54.918010950 CET8049728104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:54.918107986 CET4972880192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:54.918652058 CET4972880192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:54.935045004 CET8049728104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:54.954479933 CET8049728104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.000778913 CET4972880192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.062410116 CET49729443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.078886986 CET44349729104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.079018116 CET49729443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.129223108 CET49729443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.145587921 CET44349729104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.145808935 CET44349729104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.145884991 CET44349729104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.145937920 CET49729443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.155306101 CET49729443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.156743050 CET49730443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.171847105 CET44349729104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.173038006 CET44349730104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.173186064 CET49730443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.174810886 CET49730443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.191153049 CET44349730104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.192327976 CET44349730104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.192462921 CET44349730104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:35:55.192893028 CET49730443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.194118977 CET49730443192.168.2.5104.16.155.36
                                                                          Nov 20, 2020 15:35:55.210383892 CET44349730104.16.155.36192.168.2.5
                                                                          Nov 20, 2020 15:36:09.311714888 CET49740587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:36:09.583421946 CET58749740166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:36:09.583595991 CET49740587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:36:10.120619059 CET58749740166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:36:10.121017933 CET49740587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:36:10.392924070 CET58749740166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:36:10.439893007 CET49740587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:36:10.448016882 CET49740587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:36:10.720060110 CET58749740166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:36:10.723824978 CET49740587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:36:11.006926060 CET58749740166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:36:11.008655071 CET49740587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:36:11.280472040 CET58749740166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:36:11.280853987 CET49740587192.168.2.5166.62.27.57
                                                                          Nov 20, 2020 15:36:11.553639889 CET58749740166.62.27.57192.168.2.5
                                                                          Nov 20, 2020 15:36:11.596276045 CET49740587192.168.2.5166.62.27.57

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 20, 2020 15:35:22.485043049 CET5244153192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:22.512227058 CET53524418.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:23.208142042 CET6217653192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:23.235186100 CET53621768.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:23.995783091 CET5959653192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:24.023004055 CET53595968.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:24.719803095 CET6529653192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:24.746911049 CET53652968.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:25.369910955 CET6318353192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:25.397202015 CET53631838.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:26.177361012 CET6015153192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:26.223524094 CET53601518.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:26.435781002 CET5696953192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:26.473666906 CET53569698.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:26.560717106 CET5516153192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:26.600693941 CET53551618.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:29.742211103 CET5475753192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:29.777884960 CET53547578.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:30.927819014 CET4999253192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:30.954982996 CET53499928.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:31.373215914 CET6007553192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:31.409970999 CET53600758.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:34.082715034 CET5501653192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:34.109980106 CET53550168.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:35.164407015 CET6434553192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:35.191513062 CET53643458.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:37.027270079 CET5712853192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:37.084184885 CET53571288.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:38.597119093 CET5479153192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:38.635288000 CET53547918.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:38.655385971 CET5046353192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:38.682647943 CET53504638.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:53.465348005 CET5039453192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:53.511528969 CET53503948.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:53.852731943 CET5853053192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:53.888447046 CET53585308.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:55.023741007 CET5381353192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:55.059571981 CET53538138.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:35:58.005474091 CET6373253192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:35:58.032727957 CET53637328.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:03.671190977 CET5734453192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:03.717258930 CET53573448.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:04.601073027 CET5445053192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:04.636589050 CET53544508.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:05.352711916 CET5926153192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:05.388645887 CET53592618.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:05.818730116 CET5715153192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:05.854357958 CET53571518.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:06.149993896 CET5941353192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:06.185600042 CET53594138.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:08.338323116 CET6051653192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:08.365674973 CET53605168.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:08.549774885 CET5164953192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:08.587776899 CET53516498.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:09.024678946 CET6508653192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:09.060378075 CET53650868.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:09.269169092 CET5643253192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:09.304965973 CET53564328.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:09.714523077 CET5292953192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:09.741713047 CET53529298.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:10.749423981 CET6431753192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:10.785088062 CET53643178.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:12.220356941 CET6100453192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:12.264134884 CET53610048.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:13.368071079 CET5689553192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:13.405908108 CET53568958.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:13.877084970 CET6237253192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:13.904150009 CET53623728.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:15.087770939 CET6151553192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:15.124664068 CET53615158.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:21.511286974 CET5667553192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:21.546901941 CET53566758.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:21.999161005 CET5717253192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:22.034761906 CET53571728.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:22.141558886 CET5526753192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:22.179312944 CET53552678.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:25.500250101 CET5096953192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:25.527271032 CET53509698.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:35.422328949 CET6436253192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:35.457957983 CET53643628.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:35.715254068 CET5476653192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:35.750921011 CET53547668.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:35.838325024 CET6144653192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:35.874130964 CET53614468.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:38.651498079 CET5751553192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:38.697566986 CET53575158.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:41.010653019 CET5819953192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:41.037905931 CET53581998.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:48.295718908 CET6522153192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:48.331558943 CET53652218.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:59.161374092 CET6157353192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:59.199176073 CET53615738.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:59.228987932 CET5656253192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:59.257011890 CET53565628.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:36:59.310436010 CET5359153192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:36:59.346191883 CET53535918.8.8.8192.168.2.5
                                                                          Nov 20, 2020 15:37:17.825516939 CET5968853192.168.2.58.8.8.8
                                                                          Nov 20, 2020 15:37:17.869319916 CET53596888.8.8.8192.168.2.5

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Nov 20, 2020 15:35:26.177361012 CET192.168.2.58.8.8.80x2a1cStandard query (0)194.167.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:35:26.435781002 CET192.168.2.58.8.8.80xfe21Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:26.560717106 CET192.168.2.58.8.8.80x5f15Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:38.597119093 CET192.168.2.58.8.8.80xd370Standard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:53.465348005 CET192.168.2.58.8.8.80xa285Standard query (0)194.167.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:35:53.852731943 CET192.168.2.58.8.8.80x4211Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:55.023741007 CET192.168.2.58.8.8.80x20d1Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:09.269169092 CET192.168.2.58.8.8.80x5551Standard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:12.220356941 CET192.168.2.58.8.8.80x40efStandard query (0)g.msn.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:21.511286974 CET192.168.2.58.8.8.80x4b0eStandard query (0)194.167.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:36:21.999161005 CET192.168.2.58.8.8.80x99e4Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:22.141558886 CET192.168.2.58.8.8.80x7ed8Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:35.422328949 CET192.168.2.58.8.8.80xb6a7Standard query (0)194.167.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:36:35.715254068 CET192.168.2.58.8.8.80x5be9Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:35.838325024 CET192.168.2.58.8.8.80x87beStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:48.295718908 CET192.168.2.58.8.8.80xbe2cStandard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:59.161374092 CET192.168.2.58.8.8.80x2abeStandard query (0)194.167.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:36:59.228987932 CET192.168.2.58.8.8.80xa2ffStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:59.310436010 CET192.168.2.58.8.8.80x2337Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:37:17.825516939 CET192.168.2.58.8.8.80x951aStandard query (0)mail.iigcest.comA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Nov 20, 2020 15:35:26.223524094 CET8.8.8.8192.168.2.50x2a1cName error (3)194.167.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:35:26.473666906 CET8.8.8.8192.168.2.50xfe21No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:26.473666906 CET8.8.8.8192.168.2.50xfe21No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:26.600693941 CET8.8.8.8192.168.2.50x5f15No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:26.600693941 CET8.8.8.8192.168.2.50x5f15No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:38.635288000 CET8.8.8.8192.168.2.50xd370No error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:53.511528969 CET8.8.8.8192.168.2.50xa285Name error (3)194.167.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:35:53.888447046 CET8.8.8.8192.168.2.50x4211No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:53.888447046 CET8.8.8.8192.168.2.50x4211No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:55.059571981 CET8.8.8.8192.168.2.50x20d1No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:35:55.059571981 CET8.8.8.8192.168.2.50x20d1No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:09.304965973 CET8.8.8.8192.168.2.50x5551No error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:12.264134884 CET8.8.8.8192.168.2.50x40efNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                          Nov 20, 2020 15:36:21.546901941 CET8.8.8.8192.168.2.50x4b0eName error (3)194.167.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:36:22.034761906 CET8.8.8.8192.168.2.50x99e4No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:22.034761906 CET8.8.8.8192.168.2.50x99e4No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:22.179312944 CET8.8.8.8192.168.2.50x7ed8No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:22.179312944 CET8.8.8.8192.168.2.50x7ed8No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:35.457957983 CET8.8.8.8192.168.2.50xb6a7Name error (3)194.167.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:36:35.750921011 CET8.8.8.8192.168.2.50x5be9No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:35.750921011 CET8.8.8.8192.168.2.50x5be9No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:35.874130964 CET8.8.8.8192.168.2.50x87beNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:35.874130964 CET8.8.8.8192.168.2.50x87beNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:48.331558943 CET8.8.8.8192.168.2.50xbe2cNo error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:59.199176073 CET8.8.8.8192.168.2.50x2abeName error (3)194.167.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                          Nov 20, 2020 15:36:59.257011890 CET8.8.8.8192.168.2.50xa2ffNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:59.257011890 CET8.8.8.8192.168.2.50xa2ffNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:59.346191883 CET8.8.8.8192.168.2.50x2337No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:36:59.346191883 CET8.8.8.8192.168.2.50x2337No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                          Nov 20, 2020 15:37:17.869319916 CET8.8.8.8192.168.2.50x951aNo error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • whatismyipaddress.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.549713104.16.155.3680C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Nov 20, 2020 15:35:26.510627031 CET65OUTGET / HTTP/1.1
                                                                          Host: whatismyipaddress.com
                                                                          Connection: Keep-Alive
                                                                          Nov 20, 2020 15:35:26.551008940 CET65INHTTP/1.1 301 Moved Permanently
                                                                          Date: Fri, 20 Nov 2020 14:35:26 GMT
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          Cache-Control: max-age=3600
                                                                          Expires: Fri, 20 Nov 2020 15:35:26 GMT
                                                                          Location: https://whatismyipaddress.com/
                                                                          cf-request-id: 0687adedb90000178272bcf000000001
                                                                          Server: cloudflare
                                                                          CF-RAY: 5f52e5c2caab1782-FRA
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.549728104.16.155.3680C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Nov 20, 2020 15:35:54.918652058 CET193OUTGET / HTTP/1.1
                                                                          Host: whatismyipaddress.com
                                                                          Connection: Keep-Alive
                                                                          Nov 20, 2020 15:35:54.954479933 CET193INHTTP/1.1 301 Moved Permanently
                                                                          Date: Fri, 20 Nov 2020 14:35:54 GMT
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          Cache-Control: max-age=3600
                                                                          Expires: Fri, 20 Nov 2020 15:35:54 GMT
                                                                          Location: https://whatismyipaddress.com/
                                                                          cf-request-id: 0687ae5cb1000005c44690f000000001
                                                                          Server: cloudflare
                                                                          CF-RAY: 5f52e6744e3a05c4-FRA
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          2192.168.2.549752104.16.155.3680C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Nov 20, 2020 15:36:22.089561939 CET5819OUTGET / HTTP/1.1
                                                                          Host: whatismyipaddress.com
                                                                          Connection: Keep-Alive
                                                                          Nov 20, 2020 15:36:22.114939928 CET5819INHTTP/1.1 301 Moved Permanently
                                                                          Date: Fri, 20 Nov 2020 14:36:22 GMT
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          Cache-Control: max-age=3600
                                                                          Expires: Fri, 20 Nov 2020 15:36:22 GMT
                                                                          Location: https://whatismyipaddress.com/
                                                                          cf-request-id: 0687aec6d4000005bb99ada000000001
                                                                          Server: cloudflare
                                                                          CF-RAY: 5f52e71e1fb005bb-FRA
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          3192.168.2.549757104.16.155.3680C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Nov 20, 2020 15:36:35.808811903 CET5858OUTGET / HTTP/1.1
                                                                          Host: whatismyipaddress.com
                                                                          Connection: Keep-Alive
                                                                          Nov 20, 2020 15:36:35.830921888 CET5858INHTTP/1.1 301 Moved Permanently
                                                                          Date: Fri, 20 Nov 2020 14:36:35 GMT
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          Cache-Control: max-age=3600
                                                                          Expires: Fri, 20 Nov 2020 15:36:35 GMT
                                                                          Location: https://whatismyipaddress.com/
                                                                          cf-request-id: 0687aefc6b0000d6d59004c000000001
                                                                          Server: cloudflare
                                                                          CF-RAY: 5f52e773db84d6d5-FRA
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          4192.168.2.549764104.16.155.3680C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Nov 20, 2020 15:36:59.282638073 CET5888OUTGET / HTTP/1.1
                                                                          Host: whatismyipaddress.com
                                                                          Connection: Keep-Alive
                                                                          Nov 20, 2020 15:36:59.305939913 CET5888INHTTP/1.1 301 Moved Permanently
                                                                          Date: Fri, 20 Nov 2020 14:36:59 GMT
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          Cache-Control: max-age=3600
                                                                          Expires: Fri, 20 Nov 2020 15:36:59 GMT
                                                                          Location: https://whatismyipaddress.com/
                                                                          cf-request-id: 0687af581d00002bd6a0220000000001
                                                                          Server: cloudflare
                                                                          CF-RAY: 5f52e8069d332bd6-FRA
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          SMTP Packets

                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                          Nov 20, 2020 15:35:39.467190027 CET58749724166.62.27.57192.168.2.5220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 07:35:39 -0700
                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                          220 and/or bulk e-mail.
                                                                          Nov 20, 2020 15:35:39.467962980 CET49724587192.168.2.5166.62.27.57EHLO 305090
                                                                          Nov 20, 2020 15:35:39.749670982 CET58749724166.62.27.57192.168.2.5250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 305090 [84.17.52.25]
                                                                          250-SIZE 52428800
                                                                          250-8BITMIME
                                                                          250-PIPELINING
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-CHUNKING
                                                                          250-STARTTLS
                                                                          250-SMTPUTF8
                                                                          250 HELP
                                                                          Nov 20, 2020 15:35:39.750130892 CET49724587192.168.2.5166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                          Nov 20, 2020 15:35:40.031795025 CET58749724166.62.27.57192.168.2.5334 UGFzc3dvcmQ6
                                                                          Nov 20, 2020 15:35:40.325931072 CET58749724166.62.27.57192.168.2.5235 Authentication succeeded
                                                                          Nov 20, 2020 15:35:40.326431990 CET49724587192.168.2.5166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                          Nov 20, 2020 15:35:40.608051062 CET58749724166.62.27.57192.168.2.5250 OK
                                                                          Nov 20, 2020 15:35:40.608349085 CET49724587192.168.2.5166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                          Nov 20, 2020 15:35:40.891452074 CET58749724166.62.27.57192.168.2.5250 Accepted
                                                                          Nov 20, 2020 15:35:40.891730070 CET49724587192.168.2.5166.62.27.57DATA
                                                                          Nov 20, 2020 15:35:41.172899008 CET58749724166.62.27.57192.168.2.5354 Enter message, ending with "." on a line by itself
                                                                          Nov 20, 2020 15:35:41.174180984 CET49724587192.168.2.5166.62.27.57.
                                                                          Nov 20, 2020 15:35:41.484783888 CET58749724166.62.27.57192.168.2.5250 OK id=1kg7Vk-004UTj-W8
                                                                          Nov 20, 2020 15:36:10.120619059 CET58749740166.62.27.57192.168.2.5220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 07:36:09 -0700
                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                          220 and/or bulk e-mail.
                                                                          Nov 20, 2020 15:36:10.121017933 CET49740587192.168.2.5166.62.27.57EHLO 305090
                                                                          Nov 20, 2020 15:36:10.392924070 CET58749740166.62.27.57192.168.2.5250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 305090 [84.17.52.25]
                                                                          250-SIZE 52428800
                                                                          250-8BITMIME
                                                                          250-PIPELINING
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-CHUNKING
                                                                          250-STARTTLS
                                                                          250-SMTPUTF8
                                                                          250 HELP
                                                                          Nov 20, 2020 15:36:10.448016882 CET49740587192.168.2.5166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                          Nov 20, 2020 15:36:10.720060110 CET58749740166.62.27.57192.168.2.5334 UGFzc3dvcmQ6
                                                                          Nov 20, 2020 15:36:11.006926060 CET58749740166.62.27.57192.168.2.5235 Authentication succeeded
                                                                          Nov 20, 2020 15:36:11.008655071 CET49740587192.168.2.5166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                          Nov 20, 2020 15:36:11.280472040 CET58749740166.62.27.57192.168.2.5250 OK
                                                                          Nov 20, 2020 15:36:11.280853987 CET49740587192.168.2.5166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                          Nov 20, 2020 15:36:11.553639889 CET58749740166.62.27.57192.168.2.5250 Accepted
                                                                          Nov 20, 2020 15:36:11.655267000 CET49740587192.168.2.5166.62.27.57DATA
                                                                          Nov 20, 2020 15:36:11.927423954 CET58749740166.62.27.57192.168.2.5354 Enter message, ending with "." on a line by itself
                                                                          Nov 20, 2020 15:36:11.928617954 CET49740587192.168.2.5166.62.27.57.
                                                                          Nov 20, 2020 15:36:12.212925911 CET58749740166.62.27.57192.168.2.5250 OK id=1kg7WF-004V9z-OV
                                                                          Nov 20, 2020 15:36:48.885966063 CET58749762166.62.27.57192.168.2.5220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 07:36:48 -0700
                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                          220 and/or bulk e-mail.
                                                                          Nov 20, 2020 15:36:49.445619106 CET49762587192.168.2.5166.62.27.57EHLO 305090
                                                                          Nov 20, 2020 15:36:49.717065096 CET58749762166.62.27.57192.168.2.5250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 305090 [84.17.52.25]
                                                                          250-SIZE 52428800
                                                                          250-8BITMIME
                                                                          250-PIPELINING
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-CHUNKING
                                                                          250-STARTTLS
                                                                          250-SMTPUTF8
                                                                          250 HELP
                                                                          Nov 20, 2020 15:36:49.717490911 CET49762587192.168.2.5166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                          Nov 20, 2020 15:36:49.988996029 CET58749762166.62.27.57192.168.2.5334 UGFzc3dvcmQ6
                                                                          Nov 20, 2020 15:36:50.267446995 CET58749762166.62.27.57192.168.2.5235 Authentication succeeded
                                                                          Nov 20, 2020 15:36:50.267868042 CET49762587192.168.2.5166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                          Nov 20, 2020 15:36:50.539273024 CET58749762166.62.27.57192.168.2.5250 OK
                                                                          Nov 20, 2020 15:36:50.539747000 CET49762587192.168.2.5166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                          Nov 20, 2020 15:36:50.811964035 CET58749762166.62.27.57192.168.2.5250 Accepted
                                                                          Nov 20, 2020 15:36:50.812480927 CET49762587192.168.2.5166.62.27.57DATA
                                                                          Nov 20, 2020 15:36:51.083787918 CET58749762166.62.27.57192.168.2.5354 Enter message, ending with "." on a line by itself
                                                                          Nov 20, 2020 15:36:51.086323023 CET49762587192.168.2.5166.62.27.57.
                                                                          Nov 20, 2020 15:36:51.389682055 CET58749762166.62.27.57192.168.2.5250 OK id=1kg7Ws-004VvN-TF
                                                                          Nov 20, 2020 15:37:18.426717043 CET58749767166.62.27.57192.168.2.5220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 07:37:18 -0700
                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                          220 and/or bulk e-mail.
                                                                          Nov 20, 2020 15:37:18.427113056 CET49767587192.168.2.5166.62.27.57EHLO 305090
                                                                          Nov 20, 2020 15:37:18.702619076 CET58749767166.62.27.57192.168.2.5250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 305090 [84.17.52.25]
                                                                          250-SIZE 52428800
                                                                          250-8BITMIME
                                                                          250-PIPELINING
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-CHUNKING
                                                                          250-STARTTLS
                                                                          250-SMTPUTF8
                                                                          250 HELP
                                                                          Nov 20, 2020 15:37:18.703283072 CET49767587192.168.2.5166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                          Nov 20, 2020 15:37:18.978506088 CET58749767166.62.27.57192.168.2.5334 UGFzc3dvcmQ6
                                                                          Nov 20, 2020 15:37:19.284562111 CET58749767166.62.27.57192.168.2.5235 Authentication succeeded
                                                                          Nov 20, 2020 15:37:19.284941912 CET49767587192.168.2.5166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                          Nov 20, 2020 15:37:19.559722900 CET58749767166.62.27.57192.168.2.5250 OK
                                                                          Nov 20, 2020 15:37:19.560230970 CET49767587192.168.2.5166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                          Nov 20, 2020 15:37:19.836273909 CET58749767166.62.27.57192.168.2.5250 Accepted
                                                                          Nov 20, 2020 15:37:19.836848021 CET49767587192.168.2.5166.62.27.57DATA
                                                                          Nov 20, 2020 15:37:20.111982107 CET58749767166.62.27.57192.168.2.5354 Enter message, ending with "." on a line by itself
                                                                          Nov 20, 2020 15:37:20.113253117 CET49767587192.168.2.5166.62.27.57.
                                                                          Nov 20, 2020 15:37:20.414644957 CET58749767166.62.27.57192.168.2.5250 OK id=1kg7XL-004WZO-UM

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 6508 Parent PID: 5720

                                                                          General

                                                                          Start time:15:35:18
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\PURCHASE ORDER.exe'
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.243036472.0000000002717000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.242972972.0000000002682000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 6524 Parent PID: 6508

                                                                          General

                                                                          Start time:15:35:18
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\PURCHASE ORDER.exe'
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.296134787.0000000003BC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.292566171.0000000000B92000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.292013464.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.293899335.0000000002BC1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.292462185.0000000000AE0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.291882316.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.292688488.0000000002412000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 6532 Parent PID: 6508

                                                                          General

                                                                          Start time:15:35:19
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6524 7175453
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Reputation:low

                                                                          Analysis Process: dw20.exe PID: 6732 Parent PID: 6524

                                                                          General

                                                                          Start time:15:35:26
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:dw20.exe -x -s 2104
                                                                          Imagebase:0x10000000
                                                                          File size:33936 bytes
                                                                          MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: vbc.exe PID: 6928 Parent PID: 6524

                                                                          General

                                                                          Start time:15:35:29
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                          Imagebase:0x400000
                                                                          File size:1171592 bytes
                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.264672646.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          Analysis Process: vbc.exe PID: 6940 Parent PID: 6524

                                                                          General

                                                                          Start time:15:35:29
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                          Imagebase:0x7ff797770000
                                                                          File size:1171592 bytes
                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.268465330.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 764 Parent PID: 6532

                                                                          General

                                                                          Start time:15:35:47
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.306410027.0000000002782000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.306634331.0000000002817000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 6952 Parent PID: 764

                                                                          General

                                                                          Start time:15:35:48
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.354079025.00000000022F2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.353139620.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.356703266.0000000003AB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.356703266.0000000003AB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.353893754.00000000021B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.353046935.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.353958056.0000000002242000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.355012308.0000000002AB1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 5552 Parent PID: 764

                                                                          General

                                                                          Start time:15:35:49
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 6952 7204953
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Reputation:low

                                                                          Analysis Process: dw20.exe PID: 1112 Parent PID: 6952

                                                                          General

                                                                          Start time:15:35:55
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:dw20.exe -x -s 2112
                                                                          Imagebase:0x10000000
                                                                          File size:33936 bytes
                                                                          MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: vbc.exe PID: 1236 Parent PID: 6952

                                                                          General

                                                                          Start time:15:35:58
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                          Imagebase:0x7ff797770000
                                                                          File size:1171592 bytes
                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.325960552.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          Analysis Process: vbc.exe PID: 3720 Parent PID: 6952

                                                                          General

                                                                          Start time:15:35:58
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                          Imagebase:0x400000
                                                                          File size:1171592 bytes
                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000016.00000002.335094690.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 1396 Parent PID: 5552

                                                                          General

                                                                          Start time:15:36:15
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.368097670.0000000002817000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.367864416.0000000002782000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 5140 Parent PID: 1396

                                                                          General

                                                                          Start time:15:36:16
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.382207742.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.383019570.00000000023B2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.384995181.0000000002FF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.382905012.0000000002322000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.382096293.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.385013929.0000000002FF6000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.385265608.0000000003B71000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.385265608.0000000003B71000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.382801146.0000000002290000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 3100 Parent PID: 1396

                                                                          General

                                                                          Start time:15:36:17
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5140 7233203
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Reputation:low

                                                                          Analysis Process: dw20.exe PID: 5468 Parent PID: 5140

                                                                          General

                                                                          Start time:15:36:22
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:dw20.exe -x -s 2304
                                                                          Imagebase:0x10000000
                                                                          File size:33936 bytes
                                                                          MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 5772 Parent PID: 3100

                                                                          General

                                                                          Start time:15:36:30
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.399940578.0000000002782000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.400160823.0000000002817000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 5076 Parent PID: 5772

                                                                          General

                                                                          Start time:15:36:31
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.444523132.0000000002392000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.443510229.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.445346649.0000000002A41000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.444206771.0000000002282000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.443391424.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.443761363.0000000000680000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.446960963.0000000003A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.446960963.0000000003A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: PURCHASE ORDER.exe PID: 6660 Parent PID: 5772

                                                                          General

                                                                          Start time:15:36:32
                                                                          Start date:20/11/2020
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\PURCHASE ORDER.exe' 2 5076 7248218
                                                                          Imagebase:0x400000
                                                                          File size:973824 bytes
                                                                          MD5 hash:8E2337F7CDD4BCD18E862B7A73734D49
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Reputation:low

                                                                          Analysis Process: dw20.exe PID: 4684 Parent PID: 5076

                                                                          General

                                                                          Start time:15:36:35
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:dw20.exe -x -s 2272
                                                                          Imagebase:0x10000000
                                                                          File size:33936 bytes
                                                                          MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: vbc.exe PID: 6536 Parent PID: 5076

                                                                          General

                                                                          Start time:15:36:38
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                          Imagebase:0x400000
                                                                          File size:1171592 bytes
                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.413012282.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          Analysis Process: vbc.exe PID: 6312 Parent PID: 5076

                                                                          General

                                                                          Start time:15:36:38
                                                                          Start date:20/11/2020
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                          Imagebase:0x400000
                                                                          File size:1171592 bytes
                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000027.00000002.417706986.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >