Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe

Overview

General Information

Sample Name:Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
Analysis ID:458949
MD5:acecd4bf504c7910e3d65cea16c63f10
SHA1:02d038f99c805f46bb6eb75cd0e2831a149b770c
SHA256:f69b1078008e3e2f37009b44a13c722c84a5115e99fda915916264ab7d95ffe1
Tags:exenull
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales1@ashtavinayaka.com", "Password": "123456789", "Host": "smtpout.secureserver.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.919985835.00000000036A7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales1@ashtavinayaka.com", "Password": "123456789", "Host": "smtpout.secureserver.net"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\HQCVwZi.exeMetadefender: Detection: 42%Perma Link
                      Source: C:\Users\user\AppData\Roaming\HQCVwZi.exeReversingLabs: Detection: 78%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeVirustotal: Detection: 50%Perma Link
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeMetadefender: Detection: 42%Perma Link
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeReversingLabs: Detection: 78%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\HQCVwZi.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeJoe Sandbox ML: detected
                      Source: 7.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: .pdbf source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.675371822.000000000163B000.00000004.00000020.sdmp
                      Source: Binary string: mscorrc.pdb source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.685720231.0000000006FE0000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 4x nop then cmp dword ptr [02FE8DBCh], 04h
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: global trafficTCP traffic: 192.168.2.4:49779 -> 173.201.192.229:587
                      Source: global trafficTCP traffic: 192.168.2.4:49779 -> 173.201.192.229:587
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_0178A09A recv,
                      Source: unknownDNS traffic detected: queries for: smtpout.secureserver.net
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919985835.00000000036A7000.00000004.00000001.sdmpString found in binary or memory: http://BPvj8ZMVWAgX.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://QpvHvE.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653613768.0000000005910000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.651091477.000000000591B000.00000004.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeString found in binary or memory: http://i.imgur.com/blkrqBo.gif
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeString found in binary or memory: http://i.imgur.com/blkrqBo.gifiThis
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653104405.000000000593E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653457135.000000000593E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC1
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653457135.000000000593E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comc
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653104405.000000000593E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgy
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653104405.000000000593E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.664398671.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.658103255.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659363031.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersT
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.664339936.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers_
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.658148809.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersc
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659363031.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersv
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.674620981.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalso
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.650826149.000000000591B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.650792136.000000000591B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652399217.0000000005904000.00000004.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652365406.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652656177.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652399217.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/MI1
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652656177.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ft3
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652399217.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652399217.0000000005904000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog_
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652365406.000000000593D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-gy
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.661131902.000000000590D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.650664869.000000000591B000.00000004.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.651817942.0000000005906000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krl
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.651817942.0000000005906000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.651147802.000000000591B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeString found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.675339054.000000000160B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, lRKwMnlDDKvk6OMn0T/VtSipNT7FNpAnnFyHv.csLong String: Length: 10292
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_072017DE NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_072017AD NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_0178B0BA NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_0178B089 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_02FE7A71
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F2DB8
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F2FC0
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F3D10
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F2DA8
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F2FBA
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056FF670
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F9929
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056FAB8D
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F5A13
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F3AC0
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F3AB3
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_056F3A87
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_07301F41
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018D8798
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018DDDE8
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018DC770
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018D6E94
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018D0AE8
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018D64F0
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018DA638
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_05F002E8
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_05F059B8
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_05F0D4A0
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_05F0DE18
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.685699201.0000000006FC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConfigNodeType.dll> vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.675339054.000000000160B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVncLtSWKeDStmwneKlHhqCmevW.exe4 vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.679055935.000000000483E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSinkProvider.dllB vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.685720231.0000000006FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.686491793.0000000007A50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.686720385.0000000007B50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.686720385.0000000007B50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.674937273.0000000000F38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec.exe2 vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000000.674483622.0000000000FB8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec.exe2 vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.921962895.0000000006170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.921832400.0000000005EB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.921577507.00000000059A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVncLtSWKeDStmwneKlHhqCmevW.exe4 vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeBinary or memory string: OriginalFilenamec.exe2 vs Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, XmiVjRSwZTGfbWhOs4/aSmZ5nYpPS99X27TmL.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAKRJREFUeNpi/P//P8NgBkwMgxyMOnDUgaMOHHXgqANHHTjqwAEGoNYMMgYCeyA+CZIiAm8HYhWaugeLA58T6TgY3ohk/l4S9aLjvejuwRbFEiR6WhGJ/YvCAMTQz0LlFOM5mospBBSnQVo7cDQNjqZBaqTBpyQ66hEt0yC2msSDhNrkEhBr0bKqYxwdWRh14KgDRx046sBRB446cNSBQ9qBAAEGAPhFqjdpHPl0AAAAAElFTkSuQmCC'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, lRKwMnlDDKvk6OMn0T/VtSipNT7FNpAnnFyHv.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAN8AAADHCAYAAACZfIbaAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAB27SURBVHhe7ZyHW5TXtofvP3Gfe+95To4tsQIWVER6b0rv0qUjiF3sBWwgauw5KYoxURMr9koQ0VhQI2rsCIiKgA1bUH937T0zgIbkOPrpR1nz5H0Y1Azz7b3evdba+2P+q4/dEDAM8+lh+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUYlmIl8wejdB0/+WYRoj4kRDQ9y0jNhpBvJpB8026E10f84w70Tj2GmIn6ZjrnmgunxykGjAetkGvgULyLwLGtk0MRPwp9hpKuaaCyrKpxkcY7sQ9LUPR3+HKAx0SoKVyyjYuU2E4+BpcHbPgKvHnEbMZRgtFA/us+HiPgtOg2fA3m0SrF3GwNwpBSYOsTC2D2si5poXKsmnXbFolepLgzTAMQZmzsPgMGgKPLwWItBvFUIC1iMyaBuih+widiNGsodhtOzG0OCdiArejvDAjQjwXQVPzyVwHpQBK+dR6G8fJRd2EW/NNQuqJ5+szwNlxrNwTqFsNwFe3otpIH9GUthhjIg8jfHRlzEptpQow+TYcoZpRBkmxpQgLfoaRkeeR2LIYUQEbIOv1zdwcpuJgY6J6GcfQQKGkngaAZuORfVQQT4xCCGyLBCDY+06BoM9sxDkn0MZbgeGRxxDWswlTI4rwfT4O0hPrNZSwzBvMDOxCjMSKjE1rhzjh17CiIgixA3ZjyDfNXAbPA+2LmkkYZKMt962zS/7fWL5RMYTfV6ozHimjvGybg+lEnN4xAmMi76IqfHlmJV0H3OGPcK85CfITHkmyUp5zjD1ZEpEbDzF3ORaGTMzScS06CtIoiwY4rcB7h6LYOMynuItTCMf0XRcqsMnlE9z8aLc7EsZb6BTgtxc8fVZSWVmPmW5SmQkPiThniE75SXmp7xAVvJTZA6rxbxhjxnmT4jYyKQYyUp+TvFSR3HzCrOTHiNt6DUMCzmKYN91VIJmoK9dJMUdlZ6EpvJ6OzbV4ZPJJ5teeaQQABOHaCo3x8odq7DADRgVdZoG7RFmJz6WzIp/iKlDyzA+7DxGBh/HyKBjGBFYiNTAI4T4yrRdRAwcwYigQowecgrjQs9hYsRVzIitxNykZ5iT9BRTY+9gbNQVxATtg4f7lzC1T0Rf2wj0sRXlZ6CMw+Yg4SeVT5zB9LTxl+Wm2B728/0a8aH7MTH2KpUSf2BO4hOkx93HlKgKku0Uot1zEey0GkGO3yDQYSUC7FdoEc+Ztog/zb+//XIEUDyEuqxF1OAtSPTJo4X6EjJo0Z6b9AIZCbWYFleD4WFF8PdaBUuHUTCxjYGxbRh6UfyJONQI2HSsfio+oXyarGdk4wszp2EY5JlFWe9nucEyjfq8hakg+R5TxruDMSG/k3g74WOzFE4DJsPBZALs+4+FXb/RxBhCPGfaJmL+R8t4cDWbCU+rhbRAr0Wy/1FMi75Lme8FQQs5MTbqMkJ818PGMQ2mtvEwtgmDkbWvTAAiAzYVp58SVeQzd06Bh9cieUYzMqoIMxJvY9GI17RyVSEt7DKSfAsQ6PidlM7UMBIDDCOIcImJAdM2ETEQARMRA4Zh8rl5rwRY9x2JQeZzMJSqpIkRNzAr4QmJ95x6wjrq/a4izO9n2DtNIvkSYGwdCgNLTxhZ+VAGDCABRempXvmpinwWzqnw9l6GuJD9GDu0GBlJlfiS5JsRc4t6vJOIpFJisMUcOcDdOzqiRycnGHRygcHnBH3twbQ5NPPvqokBLT07e6B3V19Y9k5CkNN3VDFRLMU/oNLzKeanvMSkmOuI9N8MR6epGGibiD5WIehuNhgGFl7oae0nS081d0A/sXz+Uj5LlxHw8VmBhNA8jIu+gFlJ9/DlyNeYHl2K4QFHEOr6I5xNp8C4qx+++JcZOrezQJf21ujawbaeboKOdkybQTPnXTvY1NO9oz2J6SSzoZ/dcowKPo106vXmJj1B9vBXmBJ7A1EBW+DkPB1mtknoYzkE3Qa6oYe5B4wsddlPPQGbmXw3G8k3Fcbd/NH5X0I8Kylc944O6PG5Iwy/cIZhZxcYET27MK0do87OMPjCSc59j04OUjohZI9OjpQRnWU7opNvZlz1G/INbSyfRTC6DXBB94Ga7Gdk5Yte1iSgjToCNiv5pkn5ChDi8oNWvkDKepb14hl87kwT4Yre3QajT3cPGPfwQF8DT6aV06e7O3p1HSTnXiy8BlJCIR61I1R+6uQbKeSLJfkSdfKVSPmcXXTyBaGriTO6m1L2M3OHoU5AG7H7+ekP4Zu1fH27C/ko67UXJYc9TcBgWPYfgkH2ifAdNBKBnmMR6jsBoX5a6HkI0yoQ8xnmPwHhhO+gVDhbx8CiXzD6G3lTr+dK8UBVUEfNXsAAA618QY3le/ln+cw18nUb4IoeIvuZeZKAPuhp5U8ZkAT8xBmwRcjXpR3V+O3taOB94OM2AqnxCzBt/CrMm74Oi+dtxZKsXCzOzMWX85jWgpjPpfNzsXxBLqaP/wbxERnwchkO24HhMhN2aScWZKqGRNmpt3xUepoOIgHdYWDuJQU0svT75CVoC5DPkrCm3s8G5n2DEBc+i2TbgU1rT2N/7lUc/+UuTh6uwvH8KhzLY1oLJ2g+i45U4cyxKprr45g7/UfEhM7EYIck9DP0xuf/tEbXdvaU/d5TvgFUeppS9hvoocmA5t4aAetL0KbjWElalHyi7BgWnYmvlxzArs2XUHiwAudP1uJ
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Jn21NmWETEiLuT0ISI/eC8VvM0FWd2AdrJ2aY.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAIJSURBVFhH7Zg9S8RAEED9KddoYWthoxxaKAqKCoocaiFYiApaCZbaXit2thb+Af+DpVhZeNzpiaIoWIjVei8YCMfsZj8SZDGBB0eymXmEzczkBu4nayomKuGyqYTLphIum/8l3JoeUu2lEfWwXlePWzOqu7uonvZXEvjNOa6xhrVSDFe8hFuzw6rTGFPd7Xn1dLBqBWu5h3ulmLY4C7eXR3vJ50QpG7iXGFJsG6yFW1ODqrNWFyV8IBYxpVwmrIQJ/LAxISYOgZiu0lbCRT7Zfogt5dSRK8x+kxIVicueNgrzRrtUgpeTPfV5dZnwdnosrpEgh231MApThqQEOpBMD6SlNTo6jXHRoR+tMIXe5elCiHB3Z8GquWiF6U5SYBMhwkBOySWLVpiWKgU1ESpMTskli1aYOUAKauL5aPNXV6n386a4xgQ5JZcsWuFkkBGC5pEeLlUihZySSxatcDJ1CUHzSA8fYXJKLlkKF/6+u02EpWu5hAj7bokQ4aAt4fPSwdfNtbdw0EvnU9aA9vzaPBSv5RFU1nwaB6JsCfi4OBPXmAhqHNG1Zohq+AHX8dKXwsZLiGqAT4nqEwmi+wgFAhf5pInlKgvWwinstyj+SMnCG00ZonZKUhKs5R7baqDDSziFQk93oqUyByQDE1NeD35zjmussWkKNgQJ/wWVcNlUwmUTmXBN/QCoe2Fr5J6flQAAAABJRU5ErkJggg==', 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAH/SURBVFhH7ZjPKwVRFMf9NTaUtbIhLC2IDXtra2t7ayUsJA8JsbCxsLGgR7yX915Kkli8nWyvPi+3NH3nx713Jk1m6lOvmTvnfJrunHPm9fWv102ZqISLphIumv8jPLh5a4a3783EXtNMHT6auZO2mT/t9OA357jGGtaqGD44Cw9t3ZnR3YaZOWqZhbNOJljLPdyrYrrgJDyy82CmHUSjcC8xVOysZBIe2Lg147WmlPCBWMRUudJIFSbw5H5+shZi+kinCuf5ZKMQW+VMIlGY/aYS5Ynrno4V5o12qQRLF8/moN3tsXL1KtcoyOFSPWKFKUMqQRxI2gNptSaOsVpDOiikMIXe5elCiPDscStzc5HCdCcVOIkQYSCncokihWmpKmgSocLkVC5RpDBzgAqaxOL504+uMas3b3JNEuRULlGkMMOLCpqGPVyqhIWcyiWKFGbiUkHTsIePMDmVS5RchZvdr56wupZGkLDvlggRDtoSPi8dXL9/egsHvXQ+ZQ1oz8uXL/JaGkFlzadxIMqWgLW7D7kmiaDGUbrWDKUafsB1vPQlt/ESSjXAW0r1iQSl+wgFAuf5pInlIwuZhC3st1L8kfIb3mjKELVTSSlYyz0u1SAOZ2ELhZ7uREtlDmB4YeICfnOOa6zJ2hSy4C38V1TCRVMJF00lXDQlE66bb+YGhyafMUw8AAAAAElFTkSuQmCC'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, YsGgFbKSLZuAHhkB7QF/xGXulXKYNOrp9FovZ8K.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, lWb12LKZnvL7USZDaPL/AAmVZIKxLR7yVIkCwME.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_07201662 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 0_2_0720162B AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_0178AF3E AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_0178AF07 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile created: C:\Users\user\AppData\Roaming\HQCVwZi.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeMutant created: \Sessions\1\BaseNamedObjects\jDENOHFxiCkzXludxnUPebyq
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8725.tmpJump to behavior
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeVirustotal: Detection: 50%
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeMetadefender: Detection: 42%
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeReversingLabs: Detection: 78%
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile read: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe 'C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe'
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQCVwZi' /XML 'C:\Users\user\AppData\Local\Temp\tmp8725.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess created: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQCVwZi' /XML 'C:\Users\user\AppData\Local\Temp\tmp8725.tmp'
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess created: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic file information: File size 1133568 > 1048576
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x114200
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: .pdbf source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.675371822.000000000163B000.00000004.00000020.sdmp
                      Source: Binary string: mscorrc.pdb source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.685720231.0000000006FE0000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018DC2E0 push esp; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.90411210423
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.90411210423
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, LmyrT87bWMTthIY9FF/aOsABVm9snL1byNDIw.csHigh entropy of concatenated method names: 'V5UCEkZYG', 'mfKcmvmZA', 'utJFQ3Cfv', 'yZCld8jjJ', 'XVJ7CBKjj', 'i6DmbwdqH', 'JmD6Lm6qS', 'JNB0LNF8X', '.ctor', 'OB3JQkH0s'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, XmiVjRSwZTGfbWhOs4/aSmZ5nYpPS99X27TmL.csHigh entropy of concatenated method names: 'hTrIekQIb4', 'WaZIfnEW2N', 'f25IOsajui', 'HJPIMsmBvp', 'XySIHE17QD', 'hi5IJpw8Rm', 'jTxInETMxe', 'QMkIpvlIXW', 'vH2ICujD8f', 'gt0IcLAavb'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, lRKwMnlDDKvk6OMn0T/VtSipNT7FNpAnnFyHv.csHigh entropy of concatenated method names: 'dIXxtgftiA', 'aZVxg8QG71', 'XGNxhWfPZ6', 'NlVxAZ53IQ', 'Mr6xL4wGaa', 'q2ExWAxYKd', 'N8Lxen3UoX', 'KsKxfaBOvw', 'IGoxQKiYyU', 'zpKxDHvt8x'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, VduMOIKgXGFW843863X/n2qaibKBvh1QWRKiHDp.csHigh entropy of concatenated method names: '.ctor', 'AJbGmqG5pG', 'zfZG9phef5', 'jekG04iNRa', 'iGuGrWLUv0', 'lbmGD9HXvx', 'w2uGwykIMq', 'zfsGojBIUL', 'wgDG1mIoZm', 'EKRGjMc485'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, kfIIsyftDQyI9KJUkq/h7y2oyFPCRigUFhQZp.csHigh entropy of concatenated method names: '.ctor', 'JmAvetZSW6', 'Ilyvf9een3', 'amNvOMF1Ao', 'oZbvMM1Os1', 'CYgvHAJIjt', 'jIXvJQGYuq', 'CclvnC1NVq', 'dnDvpgHsOj', 'onAvCioKDI'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, u7OmMtV2WOTXgxFYxp/hvUZs3P2Ci0SkGnpya.csHigh entropy of concatenated method names: '.ctor', 'wENvSEVWtf', 'zD6vIfVvI4', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'lp4vxMG8QI', 'TBI7Y31IDI2Peqk1sN5', 'YG8PeZ1PSYJOSNTY6MO'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, pJVsxpKRj3HYP5KsWKc/jYmhTxKbWBNLnSoekJD.csHigh entropy of concatenated method names: '.ctor', 'qDXizUl1fc', 'DAPFRO2qq0', 'nlAFBHyLrj', 'CJbF8Htuk0', 'uZuFv7bVGi', 'jPQFxLWuuB', 'RJLFI3j3Mj', 'Bg4FsIA1aJ', 'wURFgfcvpd'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, QVxwF7o4B2l9RLQOdq/otavhkJTSIxTG1aZm4.csHigh entropy of concatenated method names: 'E5GUFpY2Dr', 'MrVUlwHKCw', '.ctor', 'gumU7ZwjZm', 'UcdUmJpYAm', 'I5sUCvfFEd', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'LS1UcPmAL5'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, L5VRNgvQeL9QmJsHNe/u7VF98dbWO82Hej3kG.csHigh entropy of concatenated method names: 'D90U3AhOuU', 'zcnUvCTxcw', 'oGoUhxSRLC', 'MafUAVC59Y', 'tjTULx9wj1', 'aMQUWQodKE', 'N34UeGgLsl', 'OXXUfTKEcP', 'AkWUSP7ZF8', 'lrJUIFvsNS'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Kj1TvAuFBYU6P2kPYd/M0wRJ6sQeZkxGHEa0o.csHigh entropy of concatenated method names: 'Fna3F98ntw', 'TDF37aYqGw', 'ATj3mPI1ls', 'Qrx36gXlEl', 'XQ430J96gy', 'QR13QrBARO', 'UfH3Dv1Ibu', 'xCm35KdlXQ', 'y083oBGGue', 'S0u3kT1faF'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, kaQy4L4M5Fw9ZY0i1QV/mpDEqeKzhMVxuAMEotO.csHigh entropy of concatenated method names: 'OCmuTcAJMy', 'bULuzOZM2q', 'MEd7UKgaIt', 'tkO7BT9yt6', 'fHC732CNR1', 'f757vD45CA', 'd5Z7SjGOXj', 'Bkm7ItYW9a', 'v4W7tTaw57', 'UU77grs5Ph'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, rZU6KLKWZVrueLyPkwd/L2a2WcK0KFZc6RERSLp.csHigh entropy of concatenated method names: '.ctor', 'dkLlJn484E', 'gKelGygeuh', 'CQalpOowrs', 'WdNldYVPm2', 'ATRlc8nPXK', 'gT0lioQJtS', 'hjsllXgCLf', 'BXWluEJnug', 'm8JlmQNRXr'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, zOs2X3UVCrCLjNdROZ/d72L741jeOMlm9mROE.csHigh entropy of concatenated method names: '.ctor', 'tOKtfL7VeA', 'HBXtZRRmgG', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'DdZteGS48L', 'CZxHwqsxwc3UqBS5AWj', 'yXFEyCsFjqqGFbykwhg'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, oSjQpOKvDfewXoMZ4rq/lVxhLoKdMxXUknlhuwi.csHigh entropy of concatenated method names: '.ctor', 'XaoW0Ht0xG', 'l7YWrGsC9B', 'VfpWDlFIF6', 'ayOWwoWiBi', 'mivWoNkrWP', 'uJtW1FqcJs', 'jDMWjQZJX1', 'PsNWK2lSxH', 'bL3WXnGRkh'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, yGvVgNK7odrJWHaH7sp/n1A6nJKmdrkOKWMym7S.csHigh entropy of concatenated method names: 'Dk7WtGbW3e', 'dkmWgThnOA', 'eUiLZgMmWi', 'FRRLOr1f7J', 'AJoL40E9mJ', 'TmaLHFIvRg', 'EScLGbKwia', 'WCVLnKCwmW', 'UPiLdhStRC', 'F7eLChUXgu'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, NE19xSKAyKGWJwgRK6w/abEg4KKrErda7KRLWOC.csHigh entropy of concatenated method names: '.ctor', 'IWELsBrNhV', 'SU5Ltcwb1G', 'XL1LNeKTbT', 'cXXLhnr8hl', 'pRrLBeFcEO', 'RZRL850lHJ', 'pQPL3DoR8M', 'WTVLvn9xJa', 'YVGLxHTiHT'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, fmuaq9KeyEvQfHmRbMN/MgL9y6K20MTDS0x3EjW.csHigh entropy of concatenated method names: 'WsZ4mevoZp', 'goS49J66W6', 'ogx4f7xFYL', 'UBS4ZW0lOR', 'e4C4M5LxJu', 'b5L44TcEcs', 'USm4JrRebq', 'bcd4GsWwZq', 'RRL4p382cU', 'tHa4dpKEtq'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, EeA6UuKlDt7GPunki8U/IEs6QpKTUfOSaSxn1aC.csHigh entropy of concatenated method names: 'QVIM6aP3AY', 'tYNM0guNjR', 'lw1MQYhuN0', 'p2GMD1PwBx', 'eUoM5lD3xf', 'ejWMoVvnMP', 'ccoMkYVymw', 'gkQMjIaNOJ', 'haZMyYmFXW', 's2IMXP2Jjr'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, UHomRqKfbHAwprpZBqa/sqrUReKF3vcoLdr7Lg8.csHigh entropy of concatenated method names: 'fvFMtq7y4J', 'SdpMgibbEZ', 'Y6HOyxUIE9', 'XCcOXYK4s6', 'M4mO2t4hUo', 'FM6Ob05ZUc', 'cAgOV6OD4y', 'gNPOabHXt5', 'YlXOzC5KBJ', 'vLPMR5HZm7'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, w7uDtxKXuP5IOpVMGli/A9peC7KONq2Onmue5ot.csHigh entropy of concatenated method names: 'EXPP1ul1OP', 'xScPkodM8W', 'vDqPKIZcFa', 'bAuPyDFf1v', 'Qk3PEHSKBY', 'bv2P2KRyyf', 'KsuPYOeSOM', 'OU7PVqbVBO', '.ctor', 'ylBPojkaGP'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, bdISitKDBn2pmbE0VbB/vjZSiQK9URAZ8QONkkt.csHigh entropy of concatenated method names: '.ctor', 'UN2PxWyeih', 'lWgPSi6o1H', 'SRAPIS358K', 'HLwPsxs3Fk', 'WcvPtbZkdH', 'oJmPgIiA76', 'nWXPLPMSEb', 'vhKPWT8XLr', 'vexPetRAG4'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Y7TsWoKc9Q97egIBn4l/b6AdkZKwH9hfFvaY9uy.csHigh entropy of concatenated method names: '.ctor', 'tgHAxCp1Zn', 'WNqASw6dYU', 'zM3AsmDJCr', 'wkJAtCAcaD', 'kmQANFutEe', 'sCiAhsnIMK', 'shCAPedpVl', 'b0vALNdZk8', 'c42Aq7Op2Y'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, rTZJxg4aSNZILu5hxSF/BblDl04tQldsPeR3OyS.csHigh entropy of concatenated method names: 'eiaycIZGkL', 'Gvlyi4jWrq', 'Y5Ry0e0GdU', 'w01yrjswaX', '.ctor', 'mcgylki56b', 'b05yuwXF4K', 'OnPaint', 'eTHymfQU94', 'Mcwy9EiEp8'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, I0Aoc94onyVY9AmVCCQ/og1jiT4JL873VkgcFrx.csHigh entropy of concatenated method names: 'XjIyhXPw0D', 'HVEyADFw0P', '.ctor', 'YLjy8cGhm0', 'N2ky3KXJSs', 'WXlyvXdr99', 'EtEyxZJiaH', 'x3DySFqqFH', 'FhlyIky2eU', 'Xaqys6xaue'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Pq2uxj4vFJuvDUmLnyJ/iu6A9W4dt0BWm2bcWoE.csHigh entropy of concatenated method names: 'ne2KiwtYoT', 'pU5KFtkqYs', 'T8qKuj7N9j', 'T3kK78jGP6', 'IZUK97MVq1', 'rOSK6Y01qG', 'pPyKrd3jpo', 'KVEKQ8bskM', 'JpEKw53gdL', 'Q79K5KI4gC'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, gw7M4UK4KovCExufoE1/WynGUXKKIb1WXutfPKg.csHigh entropy of concatenated method names: '.ctor', 'aABhgaIuQC', 'DFdhh3b1C5', 'w08hP7DGpi', 'AUyhWuMaCv', 'j9JheweZ82', 'OGihZlrQ9S', 'qZbhMMMh2F', 'YNwhH29Ajj', 'q2xhGIvrTD'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, s8KOYtKME6dSrb7eKi4/skWdKFze4VtaLphfSN.csHigh entropy of concatenated method names: '.ctor', 'jMrNoMxwbX', 'CTjN1y3AP7', 'nhRNjjiYZX', 'HIkNK9RFRh', 'wGiNXsTINC', 'SB9NEaauwW', 'F5ZNbwd9e9', 'o2wNYxZX32', 'CFoNa2jMsT'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Jn21NmWETEiLuT0ISI/eC8VvM0FWd2AdrJ2aY.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'zBmNCufVvk', 'EyFNcK98Vn', 'VSbNFhBB8F', 'j1ONlZprBy', 'FkaN77COk9', 'qK3NmWlx8X', 'OnPaint', 'pfjNdp4Kqf'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, f8wT96KHcnR6nLDm4WR/DkDRrsKQMVaShVHvxlo.csHigh entropy of concatenated method names: 'pKgZhu6HwN', 'loSZA8Xuyi', 'ulWZgfmZL7', 'r3CZLybLUe', 'vDeZWmaadk', 'dYsZeBhAtd', 'eBtZfGQ8Lr', 'owUZO3x2JR', 'm4GZM24PGQ', 'TdMZHG89NX'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Xrn0HsKpZeM13QD9TU1/fpEhmdKClADS41hKTYq.csHigh entropy of concatenated method names: '.ctor', 'G3EfXCGFaV', 'jI8fE0cMmf', 'PlkfbDYe7X', 'Hw7fYDa9Pi', 'bDVfaH7Gma', 'W26fTZXTXn', 'JwwZR0sOJg', 'HJuZUGykP5', 'u8JZ8h1HHx'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, SoZg4uKEGq828EPOQpT/DUu768Ki0uTvG1HmQ7f.csHigh entropy of concatenated method names: 'P0iRbUWUFi', 'aMkRRVEj6V', 'ekyfuFfuLT', 'D2of7ut8ve', '.ctor', 'KeTfGiSLv2', 'a54fnb76G7', 'dKKfpWrg9Q', 'QAIfdE2ZJO', 'fuBfCNkouc'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, yPSkJ2NSftcBpbkbrd/Bti8gok6iYXhm3kqpo.csHigh entropy of concatenated method names: 'YkT3fLjQXx', 'AyC3Z5D0vQ', 'Jrr3M0DscZ', 'PK134nhl9O', '.ctor', 'OPX3eoPBCD', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'DQgAZ8PkdFPyfONSVPy'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, wRbFwCHHNRfhxWmU7g/kCAii0QXxqL0NSkn7l.csHigh entropy of concatenated method names: 'hmo88pbngI', 'TUn83jrDCU', 'Jwr8xh7pZQ', 'gYh8SFo5xH', 'mqX8sA54uM', 'VYZ8tMKEIP', 'cPm8NmgnbK', 'CP28hrfoQx', 'HkD8Pa6A4P', 'kJY8L7en2E'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, kYCu9epZiDXPkEuhOJ/UMGC6QCglcqY4RWFWU.csHigh entropy of concatenated method names: 'IhUBr8u7CL', 'GKYBQP8SFu', 'HkCBw5Ptl8', 'QmpB5A4Eef', 'bW0B1PXV2E', 'YoyBk5cYdB', 'hYEBKLaM5F', 'VFvByjF4MG', '.ctor', 'uEbBEZZqNH'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Q98eDQRXHaJUyGtipP/u8YMKLbAhOrIqONLp4.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'RPVgjW5nS7', 'tCjgK9S2mK', 'RKugX1Ihcg', 'r9CgE0kZgY', 'IgDgbflKWD', 'qDSgYuUuZZ', 'SEMgagRAu5', 'w5kgTC6Lhu'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, DyFkKdjCP15J5TvFS1/AmEWJZI5tOkuUcH8Bq.csHigh entropy of concatenated method names: '.ctor', 'wu9tdKivKi', 'MhJtCKopVH', 'VoFtc8e7Kj', 'H7xtiFuNSN', 'RLlt7XC7eF', 'sqdtmUpw1n', 'mMSt6aMMgw', 'Spnt0tWWPa', 'VastQoKBAE'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, W3MG3QnXQ4kBtnuAeV/LLBdb28gJTHdNvHiyw.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'XoetgUTMYZ', 'ciEceQseo5gvSL4xJ7s', 'bhdhr2slHgV3xPAoCHc', 'MPZ7jlsCeZrLceLYOhP'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, TigFJ5Z5BtRck7AMLU/LCci8TxlXjlLDH3Mf8.csHigh entropy of concatenated method names: '.ctor', 'GUUSjLFhtf', 'wAxSKS8wKL', 'P6wSX4BGPD', 'FcbSEq3Z04', 'qrmSb4H5jZ', 'MhXSYwp46A', 'I5ASamdoqe', 'ASYSTDn4iC', 'zJwIR7wKr5'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, hQ2Vc85wP71ZZMaTve/uFehyYLifUWayUQyje.csHigh entropy of concatenated method names: '.ctor', 'P0iRbUWUFi', 'aMkRRVEj6V', 'XKtS0AXq6H', 'RYJSrnKK8c', 'VPiSu2AFlv', 'FkuS7Td88S', 'PG7SmUQ0vs', 'GVxS9irc74', 'CXaS6MhuNq'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, xueJTtKnLsJ83JlTjoV/Ktu3KKK8Rx2WB13fWEx.csHigh entropy of concatenated method names: 'Ws4GxFGTpy', 'BH8GSDKBWW', 'MXkGshUYxe', 'U9bGtjIh84', 'LafGNBo7bK', 'GZAGhTHK5K', 'fQBGUutHC3', 'BnUGBHKglx', 'eyNG8EuoMN', 'JtfG3W3vJe'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, YsGgFbKSLZuAHhkB7QF/xGXulXKYNOrp9FovZ8K.csHigh entropy of concatenated method names: 'DFTJJE9j2V', 'O9qJGi6uZ2', 'KEIJpbTbOy', 'yxCJdkwSb0', 'EVNJc8anAd', 'FxRJiMq5qr', 'EJoJlj7o8J', 'dvwJu0iWC4', 'sPSJgM9IOd', 'ArwJNabpsM'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, lWb12LKZnvL7USZDaPL/AAmVZIKxLR7yVIkCwME.csHigh entropy of concatenated method names: 'F23HXKCV9q', 'Wh8HE6ivvd', '.ctor', 'oDJH0LdJ0V', 'XuGHrvPuIQ', 'lGGHQREvmR', 'OnMouseDown', 'OnMouseMove', 'OnPaint', 'ycMHDT8fth'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, uK0vOH47xIbVxDGt2at/T8Ta254mSUfnS3Pf2ak.csHigh entropy of concatenated method names: '.ctor', 'OnCreateControl', 'WlwGgw366s', 'gleGdCe3bl', 'bdVjS9UE3Y', 'JpljIMoc7n', 'L9Woe0NwIW', 'py8of4muUB', 'get_Text', 'set_Text'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, wX4Cul4A7cdXoSFZys7/MXrrtg4rM0rc4x8eGvT.csHigh entropy of concatenated method names: '.ctor', 'NLZ9wCACIJ', 'S0P95Gb4OQ', 'YxW91LEf7e', 'ERD9kQT7GE', 'Tq89K7kML6', 'dRI9yxKMAY', 'BYE9EX1ttP', 'MKq92y69kd', 'fav9YcE5r2'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, pWcUMZ4XaWtCBDmNRhc/LlZLTv4O8HV2cTSmbI5.csHigh entropy of concatenated method names: '.ctor', 'xf79RCwakg', 'dgQ9UnQH3P', 'yxu98YZw0m', 'yX293B9k86', 'utP9xNo4yi', 'lmY9SebabR', 'yOw9sMwMEN', 'JmJ9tBlRrs', 'yrU9NVpBGi'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, AkK0YO4DNXYOiv45ZYR/tHage449K7sWbc9UEkL.csHigh entropy of concatenated method names: '.ctor', 'pBrmPtHTOM', 'Mt8mLYX4Kq', 'gJvmqbrZDb', 'u1Cmek08rB', 'qUQmZ3qW2H', 'uGEmOEU5nR', 'vn4m4h4N4i', 'vMImHLRjuh', 'NWwmGTejCp'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, SHUvhI4cyjOO6psSVMZ/hf4Pvd4wHBxGO8DiTLn.csHigh entropy of concatenated method names: '.ctor', 'u6D7oAnyY6', 'SOA71bGNdj', 'PIE7jjDns1', 'h0s7KAjLBn', 'niK7XbDTrc', 'Eqs7E4J0Tc', 'Qhs7bF4nHv', 'C4M7Y42u2F', 'IUG7aDxxAl'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, ahZsTy44eCuV8BIRVmR/DmbIXD4KGSc0IksvBqv.csHigh entropy of concatenated method names: 'Jr17iOjPjL', 'L1Q7FTl5MB', 'YA27u8MCxb', 'PK677QalKE', 'viJ79t6JcR', 'ont76R5BjC', '.ctor', 'nol7CEiVTZ', 'KwG7cgZCmS', 'JwcaytnnMOi8spjXbFJ'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Wyq8tiK6NrSXMx0OsJP/q0tpgCK32Pmmt4IkTT0.csHigh entropy of concatenated method names: '.ctor', 'PtfeaTsOhC', 'SdveTMoB9W', 'owYfRMKdAT', 'uDcfUXa9wX', 'N2xf89HEBn', 'RgIf3KGnXB', 'gCkfxZuUen', 'qdefSPKVyk', 'KYGfswGo7J'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, rUwidSKanqXDUK9BHkZ/hB0DF2KtcnyfK2Uottv.csHigh entropy of concatenated method names: 'OnCreateControl', '.ctor', 'JbeRuw0jnX', 'uMCRzIhBHm', 'GaIeB1YbLH', 'ljPe8cTsWM', 'IC9ev8PP8X', 'o9rexuTi8y', 'SAqeIIR1aZ', 'OPhesQofX1'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, vEldfkKoGNZknAH9Lho/R9F6UUKJlmH6cdULR2o.csHigh entropy of concatenated method names: 'MpUqAh6glV', 'ri3qPVCnr2', 'q89qW4jw2b', 'eg9qqhnWqK', 'si0qfa3KNR', 'qnMqZ4owUh', 'wSOqMxNJTD', 'Kubq4iYc75', 'dDIqJl0MGu', 'R3RqGvN3y7'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, BCj93RypJj6Jopn7IP/ABbCZNGGG19XtcWCkh.csHigh entropy of concatenated method names: 'g6jSP9kwjM', 'vRySLm6nDC', 'NmpSqnWmwi', 'c6TSeHQIbT', 'e2rSZhyR6t', 'VcDSOqNmRx', 'THOS4JUZub', 'aTSSHnAEKa', '.ctor', 'U7jSGSdvU8'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, gVahYieDlwxvhMNWfM/WpSVuh25lcdeItY3Ha.csHigh entropy of concatenated method names: '.ctor', 'aq6SRmWaJk', 'Dispose', 'HkUSUfpRyw', 'lRFSBC8cJp', 'rGfS87k9af', 'BQMS3Rn5Li', 'RdnSvyHyGk', 'VKERmtpQtb', 'J5pRKocU5X'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, bXQKSCKV2S5MbejW05Y/yMOquNKPjtFnF4P8Zic.csHigh entropy of concatenated method names: '.ctor', 'RSoOi8wajV', 'LWCOFDyr8H', 'UlZOqNqe9X', 'cB9Oe5eoqr', 'V0NOZNeQnv', 'VEkOOyeAoZ', 'zKfO419Em5', 'NQeOHDmxAy', 'lI9OGGuuWw'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, hgYTprKujp6vwjpRNvR/txJiHIKsctX9ALrbZxV.csHigh entropy of concatenated method names: '.ctor', 'aQFOI3bIH0', 'KUcOsg6v1i', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'fdfOSIX5jl', 'QMbt7UHIsUAUDvCVuK3', 'ewJGr5HP4ef3GnTxJbu'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, CtumpFKNGfBGTXgT1nI/VuQ39PKkcZDLxcY29Hr.csHigh entropy of concatenated method names: 'GudZ5SWBX6', 'GkVZo5kKiF', 'ixVZ2LLIDl', 'TBhZbrfehk', '.ctor', 'bT4Zk12oOQ', 'QpuZjgvW9I', 'OnPaint', 'aSqZyVNij5', 'JdXZXPcGSy'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, t1FZfDKjrgt6uwIQSZm/W43KWTKI80b78ruqm0D.csHigh entropy of concatenated method names: '.ctor', 'qhKcKnfmy5', 'MEvcyRgrC5', 'YJtd7RN2nk', 'fwndmDf1BV', 'uaFd6677qo', 's1ed01NY4A', 'SyndQF1ndB', 'lcGdDNi9P8', 'f09d5voiVX'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, eW8wBpK5sdhFH1lRaXH/d2jgd4KLKRQNDwDrTOD.csHigh entropy of concatenated method names: 'AcuHn5snae', 'CoNHpuxtYl', '.ctor', 'fPaHOk2KqQ', 'DaUHM1cDpI', 'OnPaint', 'Y81HH2m9fW', 'pKyHJ51Kiu', 'OnMouseDown', 'OnMouseUp'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, EQcwj4KyAPYN08LY6Ab/pp4dRwKGE7v3gRpKDLk.csHigh entropy of concatenated method names: 'f1R4KF423J', 'S1J4ycXyeK', 'b6G4XGKY9W', 'nil4Eh9xLE', 'JIp42jTrPv', 'ihW4bQhouG', 'Xyv4YJRD4p', 'QQD4VhtOBU', 'BCA4a3IYXU', 'zdt4T8sOCC'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, Ao0cLfEmF1W3PBDlT5/icp4yOiUGIAG3mMaO3.csHigh entropy of concatenated method names: 'C0kBtCB89B', 'Q8RBghNEZ9', 'hrhBh7OWxr', 'aTMBA8lWkO', 'KlYBLHmexb', 'uCFBW46OBJ', 'afABesM5SR', 'RlQBfNGYRi', 'jPTBHySgPI', 'BDBBJXxK9F'
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, BZmHRp6ULqISY9ESk9/U8lvmW3NJaH1cOfrvk.csHigh entropy of concatenated method names: 'fZ6UYkiehA', 'GEJUVQiUO1', 'U2KUaak4OX', 'cf2UTeoHIb', 'xOlUzhRc2G', 'X7fBRm4vRp', 'lRwBUYjVuP', 'B1jBBq9VtQ', 'tUfB84dFai', 'ffXB3r5Epa'
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile created: \purchase order to be treated on request imediatiely po09735-08837-8478.exe
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile created: \purchase order to be treated on request imediatiely po09735-08837-8478.exe
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile created: \purchase order to be treated on request imediatiely po09735-08837-8478.exe
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile created: \purchase order to be treated on request imediatiely po09735-08837-8478.exe
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile created: C:\Users\user\AppData\Roaming\HQCVwZi.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQCVwZi' /XML 'C:\Users\user\AppData\Local\Temp\tmp8725.tmp'
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.677627509.0000000003675000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe PID: 6708, type: MEMORYSTR
                      Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFunction Chain: threadResumed,threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,systemQueried
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFunction Chain: threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeWindow / User API: threadDelayed 641
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe TID: 6712Thread sleep time: -46834s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe TID: 6756Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe TID: 6212Thread sleep count: 641 > 30
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe TID: 6212Thread sleep time: -19230000s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe TID: 6212Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe TID: 6212Thread sleep count: 189 > 30
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe TID: 6212Thread sleep time: -94500s >= -30000s
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeThread delayed: delay time: 46834
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeThread delayed: delay time: 30000
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.921577507.00000000059A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeBinary or memory string: MaJQemUNKi
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.922152833.0000000006890000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.675371822.000000000163B000.00000004.00000020.sdmpBinary or memory string: lume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.921577507.00000000059A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.921577507.00000000059A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.917743349.0000000001623000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.921577507.00000000059A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_018DDDE8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeMemory written: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQCVwZi' /XML 'C:\Users\user\AppData\Local\Temp\tmp8725.tmp'
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeProcess created: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.918216050.0000000001DD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.918216050.0000000001DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.918216050.0000000001DD0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.918216050.0000000001DD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeCode function: 7_2_0178BB16 GetUserNameW,
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.45cd120.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.46a7278.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.45cd120.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.46a7278.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.919985835.00000000036A7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe PID: 6708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe PID: 7140, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe PID: 7140, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.45cd120.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.46a7278.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.4781128.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.45cd120.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.46a7278.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.919985835.00000000036A7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe PID: 6708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe PID: 7140, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools11OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information31Input Capture111File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Software Packing2Credentials in Registry1System Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSQuery Registry1Distributed Component Object ModelInput Capture111Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion131LSA SecretsSecurity Software Discovery311SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncVirtualization/Sandbox Evasion131Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 458949 Sample: Purchase Order to be treate... Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 12 other signatures 2->39 7 Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\HQCVwZi.exe, PE32 7->19 dropped 21 C:\Users\user\...\HQCVwZi.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp8725.tmp, XML 7->23 dropped 25 Purchase Order to ...-08837-8478.exe.log, ASCII 7->25 dropped 41 Injects a PE file into a foreign processes 7->41 11 Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe 4 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtpout.us-phx.vox.secureserver.net 173.201.192.229, 49779, 587 AS-26496-GO-DADDY-COM-LLCUS United States 11->27 29 smtpout.vox.secureserver.net 11->29 31 smtpout.secureserver.net 11->31 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 2 other signatures 11->49 17 conhost.exe 15->17         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe51%VirustotalBrowse
                      Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe49%MetadefenderBrowse
                      Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\HQCVwZi.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\HQCVwZi.exe49%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\HQCVwZi.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cnLog_0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://BPvj8ZMVWAgX.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.fontbureau.comalsF0%URL Reputationsafe
                      http://www.founder.com.cn/cnD0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fonts.comic0%URL Reputationsafe
                      http://www.founder.com.cn/cn/MI10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnl-gy0%Avira URL Cloudsafe
                      http://www.carterandcone.comTC10%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comalso0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.founder.com.cn/cn/ft30%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.carterandcone.comgy0%Avira URL Cloudsafe
                      http://www.carterandcone.comc0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.sandoll.co.krn0%Avira URL Cloudsafe
                      http://www.sandoll.co.krl0%URL Reputationsafe
                      http://QpvHvE.com0%Avira URL Cloudsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.fontbureau.comituF0%URL Reputationsafe
                      http://www.carterandcone.comint0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.tiro.comc0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtpout.us-phx.vox.secureserver.net
                      		173.201.192.229
                      		truefalse
                        		high
                        smtpout.secureserver.net
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designersGPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThePurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnLog_Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652399217.0000000005904000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.664398671.000000000593D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://BPvj8ZMVWAgX.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919985835.00000000036A7000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodfont.co.krPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653104405.000000000593E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comalsFPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersTPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659363031.000000000593D000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cnDPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652399217.0000000005904000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.650664869.000000000591B000.00000004.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cThePurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.651091477.000000000591B000.00000004.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comgritaPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comicPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.650792136.000000000591B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/MI1Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652399217.0000000005904000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers_Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.664339936.000000000593D000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cnl-gyPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652365406.000000000593D000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designerscPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.658148809.000000000593D000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.carterandcone.comTC1Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653457135.000000000593E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleasePurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designersvPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659363031.000000000593D000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comalsoPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.650826149.000000000591B000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/ft3Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652656177.0000000005904000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.urwpp.deDPleasePurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072fPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.galapagosdesign.com/Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.661131902.000000000590D000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://DynDns.comDynDNSPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comFPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comgyPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653104405.000000000593E000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comcPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653457135.000000000593E000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sandoll.co.krnPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.651817942.0000000005906000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.sandoll.co.krlPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.651817942.0000000005906000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://QpvHvE.comPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.comaPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.674620981.0000000005900000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comdPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://en.wPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653613768.0000000005910000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comlPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652656177.0000000005904000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comituFPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.659669964.0000000005904000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comintPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.653104405.000000000593E000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652399217.0000000005904000.00000004.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.652365406.000000000593D000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-user.htmlPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmp, Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.658103255.000000000593D000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000002.682115394.0000000005A70000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://i.imgur.com/blkrqBo.gifiThisPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exefalse
                                                        		high
                                                        http://www.tiro.comcPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exe, 00000000.00000003.651147802.000000000591B000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://i.imgur.com/blkrqBo.gifPurchase Order to be treated on Request Imediatiely po09735-08837-8478.exefalse
                                                          		high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          173.201.192.229
                                                          		smtpout.us-phx.vox.secureserver.netUnited States
                                                          		26496AS-26496-GO-DADDY-COM-LLCUSfalse

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:458949
                                                          Start date:03.08.2021
                                                          Start time:22:23:18
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 9m 21s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:20
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@6/4@1/1
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 3.4% (good quality ratio 1.9%)
                                                          • Quality average: 43.8%
                                                          • Quality standard deviation: 40.2%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 204.79.197.200, 13.107.21.200, 20.82.209.183, 23.211.6.115, 13.88.21.125, 20.54.110.249, 40.112.88.60, 173.222.108.226, 173.222.108.210, 20.82.210.154, 80.67.82.211, 80.67.82.235
                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          22:24:16API Interceptor931x Sleep call for process: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          173.201.192.229TNT Einvoice No TNTMX9853 Consignment Notification Delivery_pdf.exeGet hashmaliciousBrowse
                                                            RFQ0723272983.exeGet hashmaliciousBrowse
                                                              XUNgjfaf6u.exeGet hashmaliciousBrowse
                                                                http://blog.ploytrip.com/z9cr/Pages/UxiQlIomnGiGKODewvEaBYLyCJh/Get hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  smtpout.us-phx.vox.secureserver.netTNT Einvoice No TNTMX9853 Consignment Notification Delivery_pdf.exeGet hashmaliciousBrowse
                                                                  • 173.201.192.229

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  AS-26496-GO-DADDY-COM-LLCUS9JzK89dRiaBYTuN.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  SWIFT REF GO 20210730SFT21020137.exeGet hashmaliciousBrowse
                                                                  • 148.66.138.106
                                                                  UEe8hqOnX7fBM9G.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  PaymentAdvice.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  transferred $95,934.55 pdf.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  rL3Wx4zKD4.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  ORDER_0009_PDF.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  mssecsvc.exeGet hashmaliciousBrowse
                                                                  • 184.168.224.141
                                                                  Purchase Requirements.exeGet hashmaliciousBrowse
                                                                  • 192.169.220.85
                                                                  DHL Shipment Notification.PDF.exeGet hashmaliciousBrowse
                                                                  • 104.238.68.196
                                                                  PO_0008.exeGet hashmaliciousBrowse
                                                                  • 104.238.68.196
                                                                  QVwfduoULs.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  Scan#0068-46c3365.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241
                                                                  INVOICE - Q0002255 - LKJIN001 (29-07-21)-pdf.exeGet hashmaliciousBrowse
                                                                  • 198.71.232.11
                                                                  QUOTATION LIST FOR NEW ORDER 8121.exeGet hashmaliciousBrowse
                                                                  • 192.169.150.189
                                                                  P4tH618mxpGet hashmaliciousBrowse
                                                                  • 148.72.252.199
                                                                  bh68pCGom0.exeGet hashmaliciousBrowse
                                                                  • 166.62.103.55
                                                                  GSJ1vGT2WQGet hashmaliciousBrowse
                                                                  • 160.153.44.213
                                                                  AMxAyl1FvN.docGet hashmaliciousBrowse
                                                                  • 107.180.29.18
                                                                  fzyVEFy0O2.exeGet hashmaliciousBrowse
                                                                  • 184.168.131.241

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe.log
                                                                  Process:C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):664
                                                                  Entropy (8bit):5.288448637977022
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                                  MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                                  SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                                  SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                                  SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                                                  C:\Users\user\AppData\Local\Temp\tmp8725.tmp
                                                                  Process:C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1640
                                                                  Entropy (8bit):5.185657434237342
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGX0tn:cbhK79lNQR/rydbz9I3YODOLNdq3Iy
                                                                  MD5:A42B7A7960DA158169C73159ACD24DD7
                                                                  SHA1:6DD169607FE37D32F88AFF7163D2DC4C61C6BAF8
                                                                  SHA-256:D3A4D67113C58B174808205E61A91D25AA24DEBBFBAC86E1D28A1A47FC0A90ED
                                                                  SHA-512:B8E80E0923B3072A0746D85EFADF7C789549BBDC14BAC56FA9C85B013D14542814BF5C9CCB2EDC21C38F45B1C440F778B444214AA4BF3B8384939DB7BC3B51B5
                                                                  Malicious:true
                                                                  Reputation:low
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                  C:\Users\user\AppData\Roaming\HQCVwZi.exe
                                                                  Process:C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1133568
                                                                  Entropy (8bit):6.898861952674989
                                                                  Encrypted:false
                                                                  SSDEEP:24576:dxJNVQfW3q5/d3sK64JTFui2Q1zht6ype:nJN9nK64JTF32Q1r
                                                                  MD5:ACECD4BF504C7910E3D65CEA16C63F10
                                                                  SHA1:02D038F99C805F46BB6EB75CD0E2831A149B770C
                                                                  SHA-256:F69B1078008E3E2F37009B44A13C722C84A5115E99FDA915916264AB7D95FFE1
                                                                  SHA-512:4659380B670EBA061141DAC66621D85D77E53504BE642E8C5F660B46BEC436EF4DF09FBC283883E2362A04A9516E1E9375A214FFB7B40B6BBA9EF422CF225277
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: Metadefender, Detection: 49%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................B...........a... ........@.. ....................................@.................................`a..K.................................................................................... ............... ..H............text....A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B.................a......H.......8...$...........\K...............................................0..&.......+.&...(....(.............(.....o.....*...................0..........+.&.+.&. ....8.......(....8*... ............E........................R...8)...& ....8.......(.....(....9....& ....8.......(.......(.......(.... .....9....&.*...^+.&...(....o....(.....*.+.&..*..+.&..*.F+.&.+.&...(.....*...+.&..*..+.&..*..0..........+.&.+.&. ....80...s.........s.........s.........8*... ............E.............
                                                                  C:\Users\user\AppData\Roaming\HQCVwZi.exe:Zone.Identifier
                                                                  Process:C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: [ZoneTransfer]....ZoneId=0

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):6.898861952674989
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                                  File size:1133568
                                                                  MD5:acecd4bf504c7910e3d65cea16c63f10
                                                                  SHA1:02d038f99c805f46bb6eb75cd0e2831a149b770c
                                                                  SHA256:f69b1078008e3e2f37009b44a13c722c84a5115e99fda915916264ab7d95ffe1
                                                                  SHA512:4659380b670eba061141dac66621d85d77e53504be642e8c5f660b46bec436ef4df09fbc283883e2362a04a9516e1e9375a214ffb7b40b6bba9ef422cf225277
                                                                  SSDEEP:24576:dxJNVQfW3q5/d3sK64JTFui2Q1zht6ype:nJN9nK64JTF32Q1r
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................B...........a... ........@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x5161ae
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x610204AB [Thu Jul 29 01:30:19 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v2.0.50727
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1161600x4b.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1180000x5ac.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x11a0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x1141b40x114200False0.617443908443data6.90411210423IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x1180000x5ac0x600False0.42578125data4.0783402747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x11a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0x1180a00x320data
                                                                  RT_MANIFEST0x1183c00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright Microsoft 2014
                                                                  Assembly Version1.0.0.0
                                                                  InternalNamec.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyNameMicrosoft
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameQManager
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionQManager
                                                                  OriginalFilenamec.exe

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Aug 3, 2021 22:25:48.654634953 CEST49779587192.168.2.4173.201.192.229
                                                                  Aug 3, 2021 22:25:48.828083038 CEST58749779173.201.192.229192.168.2.4
                                                                  Aug 3, 2021 22:25:48.828525066 CEST49779587192.168.2.4173.201.192.229
                                                                  Aug 3, 2021 22:25:49.007302046 CEST58749779173.201.192.229192.168.2.4
                                                                  Aug 3, 2021 22:25:49.007816076 CEST49779587192.168.2.4173.201.192.229
                                                                  Aug 3, 2021 22:25:49.117865086 CEST49779587192.168.2.4173.201.192.229
                                                                  Aug 3, 2021 22:25:49.181066990 CEST58749779173.201.192.229192.168.2.4
                                                                  Aug 3, 2021 22:25:49.181849957 CEST58749779173.201.192.229192.168.2.4
                                                                  Aug 3, 2021 22:25:49.182132959 CEST49779587192.168.2.4173.201.192.229
                                                                  Aug 3, 2021 22:25:49.291079998 CEST58749779173.201.192.229192.168.2.4
                                                                  Aug 3, 2021 22:25:49.292259932 CEST49779587192.168.2.4173.201.192.229

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Aug 3, 2021 22:24:01.000583887 CEST6464653192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:01.025331974 CEST53646468.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:01.828732014 CEST6529853192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:01.869584084 CEST53652988.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:01.876981020 CEST5912353192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:01.920404911 CEST53591238.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:02.008394957 CEST5453153192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:02.033484936 CEST53545318.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:02.950804949 CEST4971453192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:02.978352070 CEST53497148.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:03.355143070 CEST5802853192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:03.404340029 CEST53580288.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:03.923815012 CEST5309753192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:03.948453903 CEST53530978.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:04.971935987 CEST4925753192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:04.999284029 CEST53492578.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:06.322273970 CEST6238953192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:06.356110096 CEST53623898.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:07.339833021 CEST4991053192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:07.364401102 CEST53499108.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:08.406449080 CEST5585453192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:08.441802025 CEST53558548.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:09.440310955 CEST6454953192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:09.467834949 CEST53645498.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:10.640031099 CEST6315353192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:10.667943001 CEST53631538.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:11.777034998 CEST5299153192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:11.801899910 CEST53529918.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:13.015561104 CEST5370053192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:13.041733027 CEST53537008.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:14.067105055 CEST5172653192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:14.100583076 CEST53517268.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:15.045774937 CEST5679453192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:15.080986977 CEST53567948.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:16.020097017 CEST5653453192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:16.052812099 CEST53565348.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:17.050476074 CEST5662753192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:17.082849979 CEST53566278.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:18.648792028 CEST5662153192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:18.673351049 CEST53566218.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:19.764209032 CEST6311653192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:19.791695118 CEST53631168.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:20.783243895 CEST6407853192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:20.818662882 CEST53640788.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:22.218661070 CEST6480153192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:22.243598938 CEST53648018.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:23.269294977 CEST6172153192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:23.304956913 CEST53617218.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:35.483472109 CEST5125553192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:35.516408920 CEST53512558.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:52.706789970 CEST6152253192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:52.776356936 CEST53615228.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:53.300982952 CEST5233753192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:53.338432074 CEST53523378.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:53.876065969 CEST5504653192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:53.928474903 CEST53550468.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:54.027923107 CEST4961253192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:54.072804928 CEST53496128.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:54.268356085 CEST4928553192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:54.294081926 CEST53492858.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:54.795775890 CEST5060153192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:54.828465939 CEST53506018.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:55.269727945 CEST6087553192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:55.302496910 CEST53608758.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:55.843694925 CEST5644853192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:55.876080036 CEST53564488.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:55.958986998 CEST5917253192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:56.002748966 CEST53591728.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:56.657665968 CEST6242053192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:56.691255093 CEST53624208.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:57.495631933 CEST6057953192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:57.529064894 CEST53605798.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:24:58.135809898 CEST5018353192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:24:58.171262026 CEST53501838.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:25:09.357471943 CEST6153153192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:25:09.402976036 CEST53615318.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:25:09.524427891 CEST4922853192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:25:09.564949989 CEST53492288.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:25:11.936330080 CEST5979453192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:25:11.970777035 CEST53597948.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:25:43.773385048 CEST5591653192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:25:43.812943935 CEST53559168.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:25:45.645577908 CEST5275253192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:25:45.693726063 CEST53527528.8.8.8192.168.2.4
                                                                  Aug 3, 2021 22:25:48.601164103 CEST6054253192.168.2.48.8.8.8
                                                                  Aug 3, 2021 22:25:48.634552002 CEST53605428.8.8.8192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Aug 3, 2021 22:25:48.601164103 CEST192.168.2.48.8.8.80xd0a4Standard query (0)smtpout.secureserver.netA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Aug 3, 2021 22:25:48.634552002 CEST8.8.8.8192.168.2.40xd0a4No error (0)smtpout.secureserver.netsmtpout.vox.secureserver.netCNAME (Canonical name)IN (0x0001)
                                                                  Aug 3, 2021 22:25:48.634552002 CEST8.8.8.8192.168.2.40xd0a4No error (0)smtpout.vox.secureserver.netsmtpout.us-phx.vox.secureserver.netCNAME (Canonical name)IN (0x0001)
                                                                  Aug 3, 2021 22:25:48.634552002 CEST8.8.8.8192.168.2.40xd0a4No error (0)smtpout.us-phx.vox.secureserver.net173.201.192.229A (IP address)IN (0x0001)
                                                                  Aug 3, 2021 22:25:48.634552002 CEST8.8.8.8192.168.2.40xd0a4No error (0)smtpout.us-phx.vox.secureserver.net173.201.193.101A (IP address)IN (0x0001)
                                                                  Aug 3, 2021 22:25:48.634552002 CEST8.8.8.8192.168.2.40xd0a4No error (0)smtpout.us-phx.vox.secureserver.net68.178.252.229A (IP address)IN (0x0001)
                                                                  Aug 3, 2021 22:25:48.634552002 CEST8.8.8.8192.168.2.40xd0a4No error (0)smtpout.us-phx.vox.secureserver.net68.178.252.101A (IP address)IN (0x0001)
                                                                  Aug 3, 2021 22:25:48.634552002 CEST8.8.8.8192.168.2.40xd0a4No error (0)smtpout.us-phx.vox.secureserver.net173.201.192.101A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  Aug 3, 2021 22:25:49.007302046 CEST58749779173.201.192.229192.168.2.4220 p3plsmtpa07-08.prod.phx3.secureserver.net :SMTPAUTH: B0yymmylZxud2 : ESMTP server p3plsmtpa07-08.prod.phx3.secureserver.net ready
                                                                  Aug 3, 2021 22:25:49.007816076 CEST49779587192.168.2.4173.201.192.229EHLO 216554
                                                                  Aug 3, 2021 22:25:49.181849957 CEST58749779173.201.192.229192.168.2.4250-p3plsmtpa07-08.prod.phx3.secureserver.net hello [84.17.52.25], secureserver.net
                                                                  250-HELP
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-SIZE 30000000
                                                                  250-PIPELINING
                                                                  250-8BITMIME
                                                                  250-STARTTLS
                                                                  250 OK

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe PID: 6708 Parent PID: 5872

                                                                  General

                                                                  Start time:22:24:07
                                                                  Start date:03/08/2021
                                                                  Path:C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe'
                                                                  Imagebase:0xe20000
                                                                  File size:1133568 bytes
                                                                  MD5 hash:ACECD4BF504C7910E3D65CEA16C63F10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676811837.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.678480420.00000000044D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.677627509.0000000003675000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Analysis Process: schtasks.exe PID: 7088 Parent PID: 6708

                                                                  General

                                                                  Start time:22:24:17
                                                                  Start date:03/08/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQCVwZi' /XML 'C:\Users\user\AppData\Local\Temp\tmp8725.tmp'
                                                                  Imagebase:0xb30000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 7096 Parent PID: 7088

                                                                  General

                                                                  Start time:22:24:18
                                                                  Start date:03/08/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff724c50000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe PID: 7140 Parent PID: 6708

                                                                  General

                                                                  Start time:22:24:18
                                                                  Start date:03/08/2021
                                                                  Path:C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\Purchase Order to be treated on Request Imediatiely po09735-08837-8478.exe
                                                                  Imagebase:0xea0000
                                                                  File size:1133568 bytes
                                                                  MD5 hash:ACECD4BF504C7910E3D65CEA16C63F10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.919985835.00000000036A7000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.919719729.0000000003621000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.917197559.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >