Loading ...

Play interactive tourEdit tour

Analysis Report Purchase_order_397484658464974945648447564845.exe

Overview

General Information

Sample Name:Purchase_order_397484658464974945648447564845.exe
Analysis ID:356528
MD5:9d8635210670e8b332120a969dfa269e
SHA1:968d4d600dd00579f6594e3b1eff98b46b422893
SHA256:031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase_order_397484658464974945648447564845.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' MD5: 9D8635210670E8B332120A969DFA269E)
    • powershell.exe (PID: 6948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 7096 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5532 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 2576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 964 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.aubonmarcheduparc.com/rina/"], "decoy": ["syndicauto.net", "techvorx.com", "palletrackingvancouver.com", "pricetrackerindia.com", "photocravings.com", "jenniferlwilsonrn.com", "cartucce-toner.com", "fred-auto-sport.com", "aletheajean.com", "beautyhacks.website", "seoalmaguer.com", "cursoencasa.net", "flex-eg.com", "dygdreams.com", "magnoliadawson.com", "whitehouseeffectband.com", "visualtrigger.art", "kalinahybridseeds.com", "glacesnamur.com", "drbordogna.com", "wealthtells.com", "opaoman.xyz", "ieltsjo.com", "graphicoustic.com", "jimboprivacy.com", "blockchainclood.com", "aulsgdcqg.icu", "swipeonyourself.com", "mccraft.club", "scirispartner.com", "mlinkstec.com", "allungamentopene.net", "quailridgeminischnauzers.com", "teensatoz.com", "3rud.net", "921squirecourt.com", "informaticas.net", "unicorndragonlearning.com", "duniatone.com", "abmzc023.com", "meteorproductions.com", "pinkcouturecollection.com", "dealsaction.store", "kailarosales.com", "maya-watches.com", "ladyunivers.com", "magenx2.info", "3ppschool.com", "panl.online", "intelligenten.com", "pepintre.com", "safarimadeira.info", "westglobalpartners.com", "tamilfgun.com", "upholsteredwineracks.com", "superdoctormk.club", "newfacesatv.info", "play-morepools.com", "allservice.center", "ladyandpen.com", "textileetobjet.com", "dallasgains.com", "littledeviltrainingcollar.com", "liquid-metalworks.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x86b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8a52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14765:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14251:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14867:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x149df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x946a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x134cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa1e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19857:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.aubonmarcheduparc.com/rina/"], "decoy": ["syndicauto.net", "techvorx.com", "palletrackingvancouver.com", "pricetrackerindia.com", "photocravings.com", "jenniferlwilsonrn.com", "cartucce-toner.com", "fred-auto-sport.com", "aletheajean.com", "beautyhacks.website", "seoalmaguer.com", "cursoencasa.net", "flex-eg.com", "dygdreams.com", "magnoliadawson.com", "whitehouseeffectband.com", "visualtrigger.art", "kalinahybridseeds.com", "glacesnamur.com", "drbordogna.com", "wealthtells.com", "opaoman.xyz", "ieltsjo.com", "graphicoustic.com", "jimboprivacy.com", "blockchainclood.com", "aulsgdcqg.icu", "swipeonyourself.com", "mccraft.club", "scirispartner.com", "mlinkstec.com", "allungamentopene.net", "quailridgeminischnauzers.com", "teensatoz.com", "3rud.net", "921squirecourt.com", "informaticas.net", "unicorndragonlearning.com", "duniatone.com", "abmzc023.com", "meteorproductions.com", "pinkcouturecollection.com", "dealsaction.store", "kailarosales.com", "maya-watches.com", "ladyunivers.com", "magenx2.info", "3ppschool.com", "panl.online", "intelligenten.com", "pepintre.com", "safarimadeira.info", "westglobalpartners.com", "tamilfgun.com", "upholsteredwineracks.com", "superdoctormk.club", "newfacesatv.info", "play-morepools.com", "allservice.center", "ladyandpen.com", "textileetobjet.com", "dallasgains.com", "littledeviltrainingcollar.com", "liquid-metalworks.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase_order_397484658464974945648447564845.exeVirustotal: Detection: 40%Perma Link
          Source: Purchase_order_397484658464974945648447564845.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase_order_397484658464974945648447564845.exeJoe Sandbox ML: detected
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: System.Core.ni.pdbRSDSD source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Xml.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.PDB source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.268109455.00000000016E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.268109455.00000000016E0000.00000040.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: jVisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Configuration.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Xml.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Core.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: Purchase_order_397484658464974945648447564845.PDB source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: mscorlib.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: System.Drawing.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: mscorlib.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Core.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: .pdbHh source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 4x nop then pop edi12_2_0040C3D7
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 4x nop then pop edi12_2_00415686

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.aubonmarcheduparc.com/rina/
          Source: global trafficHTTP traffic detected: GET /base/23DEF5FFA542BB2D1BCA37F7C5ECC686.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /base/C02C82A7124B198823DC14A0727ADA5A.html HTTP/1.1Host: coroloboxorozor.com
          Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
          Source: global trafficHTTP traffic detected: GET /base/23DEF5FFA542BB2D1BCA37F7C5ECC686.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /base/C02C82A7124B198823DC14A0727ADA5A.html HTTP/1.1Host: coroloboxorozor.com
          Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/23DEF5FFA542BB2D1BCA37F7C5ECC686.html
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/C02C82A7124B198823DC14A0727ADA5A.html
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase_order_397484658464974945648447564845.exe
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_015096C8 NtSetInformationThread,0_2_015096C8
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_0150B60D NtSetInformationThread,0_2_0150B60D
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_0150B6D0 NtSetInformationThread,0_2_0150B6D0
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004181C0 NtCreateFile,12_2_004181C0
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00418270 NtReadFile,12_2_00418270
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004182F0 NtClose,12_2_004182F0
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004183A0 NtAllocateVirtualMemory,12_2_004183A0
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041826A NtReadFile,12_2_0041826A
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041831B NtReadFile,12_2_0041831B
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_00BDA4340_2_00BDA434
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_0150D2900_2_0150D290
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0040103012_2_00401030
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041C1B812_2_0041C1B8
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041A2F312_2_0041A2F3
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00408C5C12_2_00408C5C
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00408C6012_2_00408C60
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041BC7D12_2_0041BC7D
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B5E212_2_0041B5E2
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00402D9012_2_00402D90
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041C7F012_2_0041C7F0
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041BF9212_2_0041BF92
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00402FB012_2_00402FB0
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 964
          Source: Purchase_order_397484658464974945648447564845.exeBinary or memory string: OriginalFilename vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000000.211406162.0000000000B52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBPxnwGrR.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRFkL BUJ.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exeBinary or memory string: OriginalFilename vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRFkL BUJ.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.269183019.000000000198F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000000.264656959.0000000000CE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBPxnwGrR.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exeBinary or memory string: OriginalFilenameBPxnwGrR.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/9@1/1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210223Jump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6392
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zj10wm5e.0o0.ps1Jump to behavior
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase_order_397484658464974945648447564845.exeVirustotal: Detection: 40%
          Source: Purchase_order_397484658464974945648447564845.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile read: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 964
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: System.Core.ni.pdbRSDSD source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Xml.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.PDB source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.268109455.00000000016E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.268109455.00000000016E0000.00000040.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: jVisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Configuration.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Xml.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Core.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: Purchase_order_397484658464974945648447564845.PDB source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: mscorlib.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: System.Drawing.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: mscorlib.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Core.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: .pdbHh source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.ni.pdb source: WERFC3.tmp.dmp.15.dr

          Data Obfuscation:

          barindex
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xF27DBEB9 [Tue Dec 2 02:51:37 2098 UTC]
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: real checksum: 0xa25a1 should be: 0xabc83
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041C942 push es; ret 12_2_0041C943
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B3B5 push eax; ret 12_2_0041B408
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00415C5F push esi; ret 12_2_00415C66
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B46C push eax; ret 12_2_0041B472
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B402 push eax; ret 12_2_0041B408
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B40B push eax; ret 12_2_0041B472
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041CD7C push ds; iretd 12_2_0041CD7D
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041850E push esp; iretd 12_2_0041850F
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00415F8E push es; retf 12_2_00415F8F

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (58).png
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004088B0 rdtsc 12_2_004088B0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4442Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2845Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6876Thread sleep time: -17524406870024063s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: powershell.exe, 00000006.00000003.343279532.0000000005825000.00000004.00000001.sdmpBinary or memory string: Hyper-V
          Source: powershell.exe, 00000006.00000003.343279532.0000000005825000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Contains functionality to hide a thread from the debuggerShow sources
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_015096C8 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,0150B5EF,00000000,000000000_2_015096C8
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebuggerJump to behavior</