Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order.exe

Overview

General Information

Sample Name:Purchase Order.exe
Analysis ID:385474
MD5:4953a0238e781408fae3ee737bf14ac4
SHA1:006a605fa48b26b27e859c031340344937858398
SHA256:51688c6b77d1a093fc0d9efe21413f09d1bfef7907a726e8498e2173abb7c8d4
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Matiex
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Matiex Keylogger
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Purchase Order.exe (PID: 6632 cmdline: 'C:\Users\user\Desktop\Purchase Order.exe' MD5: 4953A0238E781408FAE3EE737BF14AC4)
    • Purchase Order.exe (PID: 6784 cmdline: C:\Users\user\Desktop\Purchase Order.exe MD5: 4953A0238E781408FAE3EE737BF14AC4)
      • dw20.exe (PID: 6824 cmdline: dw20.exe -x -s 748 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
    00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
      00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
          00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Purchase Order.exe.3c71470.2.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
              0.2.Purchase Order.exe.3c71470.2.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                2.2.Purchase Order.exe.4228d4.1.raw.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
                  2.2.Purchase Order.exe.4228d4.1.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    2.2.Purchase Order.exe.400000.0.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Purchase Order.exeVirustotal: Detection: 34%Perma Link
                      Source: Purchase Order.exeMetadefender: Detection: 13%Perma Link
                      Source: Purchase Order.exeReversingLabs: Detection: 47%
                      Source: 2.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                      Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Purchase Order.exe, 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, Purchase Order.exe, 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp
                      Source: Binary string: mscorrc.pdb source: Purchase Order.exe, 00000000.00000002.359685105.0000000005BB0000.00000002.00000001.sdmp, Purchase Order.exe, 00000002.00000002.429541120.00000000056D0000.00000002.00000001.sdmp
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Purchase Order.exe, 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, Purchase Order.exe, 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
                      Source: Purchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Purchase Order.exeString found in binary or memory: http://weather.gc.ca/astro/seeing_e.html)
                      Source: Purchase Order.exe, 00000000.00000003.329870889.0000000004DB5000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Purchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                      Source: Purchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com4
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCf
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comg
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comk
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comle
                      Source: Purchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
                      Source: Purchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.M
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.347164147.0000000004D80000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Purchase Order.exe, 00000000.00000003.330299371.0000000004DB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Purchase Order.exe, 00000000.00000003.329870889.0000000004DB5000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Purchase Order.exe, 00000000.00000003.347164147.0000000004D80000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiaa3W
                      Source: Purchase Order.exe, 00000000.00000003.347164147.0000000004D80000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldva
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Purchase Order.exe, 00000000.00000003.331404936.0000000004DB5000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Purchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/NW
                      Source: Purchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
                      Source: Purchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
                      Source: Purchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ita
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.327836247.0000000004DB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.324401456.0000000004D9B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cndkW
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
                      Source: Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnueGZ
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Purchase Order.exe
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05B40F62 NtQueryInformationProcess,
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05B410D2 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05B41097 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05B40F40 NtQueryInformationProcess,
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA0098
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA56A0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA2AC0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA0B80
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA1BF1
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BABF78
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA1348
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BAB8B8
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BACDC8
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA9D78
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA4960
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA4951
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA568F
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA4238
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA4228
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA4BB0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA37B1
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA4BA0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA9FC8
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA37C0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BAA370
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05841E20
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05840668
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_058421C0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05840919
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05840928
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05840658
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08085C68
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08086CA2
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08085110
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08084D98
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_080849F8
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08087B08
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_080863B0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0808E3E0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08085C11
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08089C48
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0808006C
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08080070
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0808D870
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08088898
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08089A28
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0808D2A0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_080892B0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08085BE5
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 748
                      Source: Purchase Order.exe, 00000000.00000002.347477707.00000000003E8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAssemblyName.exeP vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameu.exe4 vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000000.00000002.359685105.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000000.00000002.348944578.00000000029D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameu.exe4 vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000002.00000000.346719432.0000000000F38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAssemblyName.exeP vs Purchase Order.exe
                      Source: Purchase Order.exe, 00000002.00000002.429541120.00000000056D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order.exe
                      Source: Purchase Order.exeBinary or memory string: OriginalFilenameAssemblyName.exeP vs Purchase Order.exe
                      Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal80.troj.evad.winEXE@5/4@1/0
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05B40CBE AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05B40C87 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Purchase Order.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER39C9.tmpJump to behavior
                      Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Purchase Order.exeVirustotal: Detection: 34%
                      Source: Purchase Order.exeMetadefender: Detection: 13%
                      Source: Purchase Order.exeReversingLabs: Detection: 47%
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe 'C:\Users\user\Desktop\Purchase Order.exe'
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exe
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 748
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exe
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 748
                      Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Purchase Order.exe, 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, Purchase Order.exe, 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp
                      Source: Binary string: mscorrc.pdb source: Purchase Order.exe, 00000000.00000002.359685105.0000000005BB0000.00000002.00000001.sdmp, Purchase Order.exe, 00000002.00000002.429541120.00000000056D0000.00000002.00000001.sdmp
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Purchase Order.exe, 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, Purchase Order.exe, 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6632, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6784, type: MEMORY
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c71470.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order.exe.4228d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c91f44.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c71470.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3bfe060.4.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00322114 push ss; retf
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00325C7D push 00000072h; ret
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00E5828C pushad ; retf
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00E57366 push ecx; ret
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00E5731E push ecx; ret
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA88FF push ecx; ret
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_04BA650E push ds; iretd
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_080858D1 push ebp; iretd
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08085548 push 58FFFFFFh; ret
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 2_2_00E75C7D push 00000072h; ret
                      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 2_2_00E72114 push ss; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.4406354621
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6632, type: MEMORY
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6632, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6784, type: MEMORY
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c71470.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order.exe.4228d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c91f44.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c71470.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3bfe060.4.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 6636Thread sleep time: -100265s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 6676Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 100265
                      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Purchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Purchase Order.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Purchase Order.exeMemory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exe
                      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 748
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Matiex KeyloggerShow sources
                      Source: Yara matchFile source: 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6632, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6784, type: MEMORY
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c71470.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order.exe.4228d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c91f44.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c71470.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3bfe060.4.raw.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected Matiex KeyloggerShow sources
                      Source: Yara matchFile source: 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6632, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6784, type: MEMORY
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c71470.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order.exe.4228d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c91f44.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3c71470.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order.exe.3bfe060.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection111Disable or Modify Tools1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection111LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385474 Sample: Purchase Order.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 80 18 clientconfig.passport.net 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected Matiex Keylogger 2->22 24 Yara detected AntiVM3 2->24 26 3 other signatures 2->26 8 Purchase Order.exe 3 2->8         started        signatures3 process4 file5 16 C:\Users\user\...\Purchase Order.exe.log, ASCII 8->16 dropped 28 Injects a PE file into a foreign processes 8->28 12 Purchase Order.exe 2 8->12         started        signatures6 process7 process8 14 dw20.exe 22 6 12->14         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Purchase Order.exe35%VirustotalBrowse
                      Purchase Order.exe19%MetadefenderBrowse
                      Purchase Order.exe48%ReversingLabsByteCode-MSIL.Infostealer.Coins

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.Purchase Order.exe.400000.0.unpack100%AviraTR/Redcap.jajcuDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      clientconfig.passport.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.fontbureau.comdiaa3W0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://weather.gc.ca/astro/seeing_e.html)0%Avira URL Cloudsafe
                      http://www.carterandcone.com40%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comldva0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.agfamonotype.0%URL Reputationsafe
                      http://www.agfamonotype.0%URL Reputationsafe
                      http://www.agfamonotype.0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/NW0%Avira URL Cloudsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.carterandcone.como.M0%Avira URL Cloudsafe
                      http://www.carterandcone.comlt0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cnueGZ0%Avira URL Cloudsafe
                      http://www.carterandcone.comCf0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cne0%Avira URL Cloudsafe
                      http://www.carterandcone.comg0%Avira URL Cloudsafe
                      http://en.w0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.comk0%URL Reputationsafe
                      http://www.carterandcone.comk0%URL Reputationsafe
                      http://www.carterandcone.comk0%URL Reputationsafe
                      http://www.carterandcone.comle0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/ita0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cndkW0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      clientconfig.passport.net
                      		unknown
                      		unknownfalseunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThePurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/cabarga.html8Purchase Order.exe, 00000000.00000003.330299371.0000000004DB5000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comdiaa3WPurchase Order.exe, 00000000.00000003.347164147.0000000004D80000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.324401456.0000000004D9B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://weather.gc.ca/astro/seeing_e.html)Purchase Order.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.347164147.0000000004D80000.00000004.00000001.sdmpfalse
                                		high
                                http://www.carterandcone.com4Purchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comPurchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssPurchase Order.exe, 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.com.Purchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThePurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comldvaPurchase Order.exe, 00000000.00000003.347164147.0000000004D80000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleasePurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasePurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.327836247.0000000004DB5000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/Purchase Order.exe, 00000000.00000003.331404936.0000000004DB5000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.agfamonotype.Purchase Order.exe, 00000000.00000003.329870889.0000000004DB5000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/NWPurchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comTCPurchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.como.MPurchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comltPurchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnueGZPurchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comCfPurchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnePurchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comgPurchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://en.wPurchase Order.exe, 00000000.00000003.326857154.0000000004D85000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comkPurchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlePurchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnPurchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlPurchase Order.exe, 00000000.00000003.329870889.0000000004DB5000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/itaPurchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8Purchase Order.exe, 00000000.00000002.355094483.0000000004F92000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.zhongyicts.com.cndkWPurchase Order.exe, 00000000.00000003.326231503.0000000004D86000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/ePurchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/dPurchase Order.exe, 00000000.00000003.327278693.0000000004D88000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:31.0.0 Emerald
                                              Analysis ID:385474
                                              Start date:12.04.2021
                                              Start time:15:16:19
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 7m 49s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:Purchase Order.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal80.troj.evad.winEXE@5/4@1/0
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 4.6% (good quality ratio 2.8%)
                                              • Quality average: 33.4%
                                              • Quality standard deviation: 33.7%
                                              HCA Information:
                                              • Successful, ratio: 81%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.42.151.234, 2.23.155.232, 2.23.155.186, 20.50.102.62, 88.221.62.148, 92.123.150.225, 92.122.213.194, 92.122.213.247, 13.88.21.125, 52.155.217.156, 20.54.26.129, 92.122.144.200
                                              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, msagfx.live.com-6.edgekey.net, authgfx.msa.akadns6.net, go.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, download.windowsupdate.com, download.windowsupdate.com.edgesuite.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              15:17:15API Interceptor1x Sleep call for process: Purchase Order.exe modified
                                              15:17:57API Interceptor1x Sleep call for process: dw20.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Purchase Order.e_f38b3ed14dba9e7d30b75ea9b7736a5b21d8e31f_00000000_1afbc56f\Report.wer
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):10158
                                              Entropy (8bit):3.7633564412815135
                                              Encrypted:false
                                              SSDEEP:96:CyenOSA/0zxWs5h5pXI/+BHUHZopAnQ0DFH2EmSonj+wdOyWnEeVc1F9ZQb5iMFH:xenOgDHvaPLk9Mn/u7sNS274ItF
                                              MD5:EDC36D4D4D275A2B46249E2AA6CBE55E
                                              SHA1:CE36456426E58D96F323193F6F7460D1C6DF29FD
                                              SHA-256:43C54784D385E90B057C8EC509CCDA80BBBDC682881ABA512350D59A223FF660
                                              SHA-512:FFD703F69DDE2300B11527CEBB7A808B76CB14FECD45AAA8FD185C3229D5E262AF84B0EE7E53FB5F0FB77201F12102FAB2A637927652AA40576BA0AB0C82B0CC
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.3.9.4.4.1.6.4.5.9.7.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.3.9.4.4.3.8.9.5.9.6.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.4.c.9.f.7.f.-.8.4.c.1.-.4.8.6.d.-.a.1.9.0.-.e.8.2.7.9.8.6.2.2.1.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.s.s.e.m.b.l.y.N.a.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.8.0.-.0.0.0.1.-.0.0.1.7.-.3.4.c.5.-.2.f.9.a.e.9.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.b.f.0.9.a.7.d.4.c.1.1.e.2.7.b.a.7.0.b.c.3.0.f.a.2.d.6.c.a.0.0.0.0.0.0.0.0.0.!.0.0.0.0.0.0.6.a.6.0.5.f.a.4.8.b.2.6.b.2.7.e.8.5.9.c.0.3.1.3.4.0.3.4.4.9.3.7.8.5.8.3.9.8.!.P.u.r.c.h.a.s.e. .O.r.d.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.1.1.:.1.5.:.5.8.:.5.9.!.0.!.P.u.r.c.h.a.s.e. .O.r.d.e.r...e.x.e.....B.o.o.t.I.d.=.4.
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER39C9.tmp.WERInternalMetadata.xml
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):7624
                                              Entropy (8bit):3.7001256134003873
                                              Encrypted:false
                                              SSDEEP:192:Rrl7r3GLNiA+G6bgB6YU+56IgmfkT8SwCp15D1flTm:RrlsNiY6bgB6Yj6IgmfkYSZ5xfM
                                              MD5:5485A5684E2E126255D69664087FA626
                                              SHA1:AB9F71D28E5277EC7844E55A368235DF292D1AA6
                                              SHA-256:B57AF341EAAC6AE884AE2CC577B34DF4794A1BB524E299531D1294B396A97752
                                              SHA-512:F2B54944402CD6C9510542003D56622D056B7877BCF3971A3B6A341CBA2865A58B9C512012BF263534F36292A130D3296525BCDB77FAAE7CDE4470F1AB1DC2F0
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.4.<./.P.i.d.>.......
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AC4.tmp.xml
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4614
                                              Entropy (8bit):4.484824980131556
                                              Encrypted:false
                                              SSDEEP:48:cvIwSD8zsCJgtWI9qUWSC8BCTM8fm8M4JFKf5vNJoFpvX+q8dB6saq+QIeO1VOd:uITfQBNSNUJFKRjqvX+YTqDxMOd
                                              MD5:805AA8E5719DA0E01DF875EA504F3165
                                              SHA1:CB1AF469E3B11D07D6F89DDC7CDC3E6D667F3DF0
                                              SHA-256:26FD6FD2682CFBB4AA36E13E8B930D164C539141F6405F63BC27085B702DED68
                                              SHA-512:9DB71DE84D0847CC4AD4F541F7E50D46BDAF9B000E680FA5BEEC70225D81A7C25953B509D0831E936A6540EDADE3879AA622B9CEFAE4938B22BD98D5BCEDB0C4
                                              Malicious:false
                                              Reputation:low
                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943648" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Purchase Order.exe.log
                                              Process:C:\Users\user\Desktop\Purchase Order.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):664
                                              Entropy (8bit):5.288448637977022
                                              Encrypted:false
                                              SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                              MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                              SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                              SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                              SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.40598591003729
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:Purchase Order.exe
                                              File size:826368
                                              MD5:4953a0238e781408fae3ee737bf14ac4
                                              SHA1:006a605fa48b26b27e859c031340344937858398
                                              SHA256:51688c6b77d1a093fc0d9efe21413f09d1bfef7907a726e8498e2173abb7c8d4
                                              SHA512:57920e2f67b62c443eb3f5319697b75d892df7a78a04f330f00aae8b821714719d2a2af1bec849765effc4df64f8ddf0bed4ed3cf81005cbcc7fff46cfd1d3c7
                                              SSDEEP:12288:LDlXerqEw/rZm+ZoF2pYGIZv4LYSdSC3I7GwPP5qRzYjJsa9ODrmOzvZ1+fLI/LE:LDderqn/w+/pYFvRC3I7GPc
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..N...L.......l... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:4125655370600101

                                              Static PE Info

                                              General

                                              Entrypoint:0x4c6cae
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x60731CC3 [Sun Apr 11 15:58:59 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v2.0.50727
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc6c540x57.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x4928.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xc4cb40xc4e00False0.751769593254data7.4406354621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0xc80000x49280x4a00False0.152502111486data2.63585312657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xce0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0xc81300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
                                              RT_GROUP_ICON0xcc3580x14data
                                              RT_VERSION0xcc36c0x3d0data
                                              RT_MANIFEST0xcc73c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright CodeUnit 2007
                                              Assembly Version2007.8.28.1
                                              InternalNameAssemblyName.exe
                                              FileVersion2007.08.28.1
                                              CompanyNameCodeUnit
                                              LegalTrademarks
                                              CommentsImage Size Standardiser
                                              ProductNameImage Size Standardiser
                                              ProductVersion2007.08.28.1
                                              FileDescriptionImage Size Standardiser
                                              OriginalFilenameAssemblyName.exe

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              04/12/21-15:17:09.781420ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:09.816438ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                              04/12/21-15:17:09.822526ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:09.859114ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                              04/12/21-15:17:09.859602ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:09.897177ICMP449ICMP Time-To-Live Exceeded in Transit130.117.50.25192.168.2.6
                                              04/12/21-15:17:09.901722ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:09.942778ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.62192.168.2.6
                                              04/12/21-15:17:09.963919ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:10.011057ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.253192.168.2.6
                                              04/12/21-15:17:10.019437ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:10.065968ICMP449ICMP Time-To-Live Exceeded in Transit130.117.14.78192.168.2.6
                                              04/12/21-15:17:10.075882ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:10.137518ICMP449ICMP Time-To-Live Exceeded in Transit195.22.208.117192.168.2.6
                                              04/12/21-15:17:10.143003ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:10.196196ICMP449ICMP Time-To-Live Exceeded in Transit93.186.128.39192.168.2.6
                                              04/12/21-15:17:10.197569ICMP384ICMP PING192.168.2.62.23.155.232
                                              04/12/21-15:17:10.250018ICMP408ICMP Echo Reply2.23.155.232192.168.2.6

                                              Network Port Distribution

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 12, 2021 15:17:02.188210964 CEST4944853192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:02.237078905 CEST53494488.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:03.432223082 CEST6034253192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:03.483798981 CEST53603428.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:05.396575928 CEST6134653192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:05.454792976 CEST53613468.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:06.678920031 CEST5177453192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:06.727936029 CEST53517748.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:07.545471907 CEST5602353192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:07.594119072 CEST53560238.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:08.694360971 CEST5838453192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:08.745882988 CEST53583848.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:09.714747906 CEST6026153192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:09.778441906 CEST53602618.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:22.027512074 CEST5606153192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:22.076325893 CEST53560618.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:26.153947115 CEST5833653192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:26.211657047 CEST53583368.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:26.593698025 CEST5378153192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:26.642446995 CEST53537818.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:27.371833086 CEST5406453192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:27.420711994 CEST53540648.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:34.325079918 CEST5281153192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:34.376645088 CEST53528118.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:34.408814907 CEST5529953192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:34.470855951 CEST53552998.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:34.708123922 CEST6374553192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:34.768985033 CEST53637458.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:36.268973112 CEST5005553192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:36.318243027 CEST53500558.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:37.055372000 CEST6137453192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:37.104171991 CEST53613748.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:38.166023970 CEST5033953192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:38.214950085 CEST53503398.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:39.136960983 CEST6330753192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:39.204515934 CEST53633078.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:39.843059063 CEST4969453192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:39.892381907 CEST53496948.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:40.965179920 CEST5498253192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:41.013802052 CEST53549828.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:45.238478899 CEST5001053192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:45.290182114 CEST53500108.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:46.344132900 CEST6371853192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:46.392785072 CEST53637188.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:48.259892941 CEST6211653192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:48.311598063 CEST53621168.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:56.168281078 CEST6381653192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:56.395606041 CEST53638168.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:56.946171999 CEST5501453192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:57.099788904 CEST53550148.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:57.658051014 CEST6220853192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:57.671370029 CEST5757453192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:57.728770018 CEST53575748.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:57.732328892 CEST53622088.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:58.474102974 CEST5181853192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:58.578263044 CEST53518188.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:59.118072033 CEST5662853192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:59.177898884 CEST53566288.8.8.8192.168.2.6
                                              Apr 12, 2021 15:17:59.320744991 CEST6077853192.168.2.68.8.8.8
                                              Apr 12, 2021 15:17:59.369261026 CEST53607788.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:00.133456945 CEST5379953192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:00.193588018 CEST53537998.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:00.746002913 CEST5468353192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:00.805965900 CEST53546838.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:01.914160013 CEST5932953192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:02.109582901 CEST53593298.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:03.823339939 CEST6402153192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:03.884013891 CEST53640218.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:04.328334093 CEST5612953192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:04.377125978 CEST53561298.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:10.531311989 CEST5817753192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:10.589813948 CEST53581778.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:41.917402029 CEST5070053192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:41.985662937 CEST53507008.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:42.723320961 CEST5406953192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:42.772187948 CEST53540698.8.8.8192.168.2.6
                                              Apr 12, 2021 15:18:44.454745054 CEST6117853192.168.2.68.8.8.8
                                              Apr 12, 2021 15:18:44.512132883 CEST53611788.8.8.8192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Apr 12, 2021 15:17:34.708123922 CEST192.168.2.68.8.8.80x73a6Standard query (0)clientconfig.passport.netA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Apr 12, 2021 15:17:34.768985033 CEST8.8.8.8192.168.2.60x73a6No error (0)clientconfig.passport.netauthgfx.msa.akadns6.netCNAME (Canonical name)IN (0x0001)

                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Purchase Order.exe PID: 6632 Parent PID: 5956

                                              General

                                              Start time:15:17:07
                                              Start date:12/04/2021
                                              Path:C:\Users\user\Desktop\Purchase Order.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Purchase Order.exe'
                                              Imagebase:0x320000
                                              File size:826368 bytes
                                              MD5 hash:4953A0238E781408FAE3EE737BF14AC4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.348990165.0000000002A0D000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.350207077.0000000003A8E000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Analysis Process: Purchase Order.exe PID: 6784 Parent PID: 6632

                                              General

                                              Start time:15:17:19
                                              Start date:12/04/2021
                                              Path:C:\Users\user\Desktop\Purchase Order.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\Purchase Order.exe
                                              Imagebase:0xe70000
                                              File size:826368 bytes
                                              MD5 hash:4953A0238E781408FAE3EE737BF14AC4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000002.00000002.427728679.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Analysis Process: dw20.exe PID: 6824 Parent PID: 6784

                                              General

                                              Start time:15:17:20
                                              Start date:12/04/2021
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                              Wow64 process (32bit):true
                                              Commandline:dw20.exe -x -s 748
                                              Imagebase:0x10000000
                                              File size:33936 bytes
                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >