Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample Name: Purchase Order.exe
Analysis ID: 562512
MD5: 13d83a3812ec316654034e15f506aa06
SHA1: 9d4f2afe54ca9b3cd31912b10dcc288b6696f3ea
SHA256: 2518a50e9483da255cb061cb5eb966f41f39daf912341e7cf4442da4b362da8c
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

AV Detection
barindex
Found malware configuration
Source: 7.0.Purchase Order.exe.400000.10.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "dattaprasad@jkudyog.com", "Password": "%$#@lkjhgfdsa", "Host": "mail.jkudyog.com"}
Multi AV Scanner detection for submitted file
Source: Purchase Order.exe Virustotal: Detection: 39% Perma Link
Source: Purchase Order.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\TRaCepbEuy.exe Virustotal: Detection: 39% Perma Link
Source: C:\Users\user\AppData\Roaming\TRaCepbEuy.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Virustotal: Detection: 39% Perma Link
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe ReversingLabs: Detection: 50%
Machine Learning detection for sample
Source: Purchase Order.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\TRaCepbEuy.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.0.Purchase Order.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 23.2.tKZVPq.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 7.2.Purchase Order.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 23.0.tKZVPq.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Purchase Order.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Purchase Order.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 23.0.tKZVPq.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 23.0.tKZVPq.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Purchase Order.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Purchase Order.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 23.0.tKZVPq.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 23.0.tKZVPq.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8

Compliance
barindex
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Purchase Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Purchase Order.exe, 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Purchase Order.exe, 00000000.00000002.383066984.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.542437762.0000000002401000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.552495218.0000000002A11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ybzARF.com
Source: Purchase Order.exe, 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Purchase Order.exe, 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: tKZVPq.exe, 00000011.00000002.541479722.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\Purchase Order.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.3fff900.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.tKZVPq.exe.35bf900.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.tKZVPq.exe.35448e0.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.2.tKZVPq.exe.3bcf900.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.tKZVPq.exe.246817c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.tKZVPq.exe.35bf900.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 23.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.2.tKZVPq.exe.3bcf900.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.2.tKZVPq.exe.3b548e0.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.2ea8150.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 19.2.tKZVPq.exe.2a7817c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order.exe
.NET source code contains very large array initializations
Source: 7.0.Purchase Order.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.cs Large array initialization: .cctor: array initializer size 11964
Source: 7.2.Purchase Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.cs Large array initialization: .cctor: array initializer size 11964
Source: 7.0.Purchase Order.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.cs Large array initialization: .cctor: array initializer size 11964
Source: 7.0.Purchase Order.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.cs Large array initialization: .cctor: array initializer size 11964
Source: 7.0.Purchase Order.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.cs Large array initialization: .cctor: array initializer size 11964
Source: 7.0.Purchase Order.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.cs Large array initialization: .cctor: array initializer size 11964
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase Order.exe.3fff900.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.tKZVPq.exe.35bf900.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.tKZVPq.exe.35448e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.2.tKZVPq.exe.3bcf900.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.tKZVPq.exe.246817c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.tKZVPq.exe.35bf900.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.2.tKZVPq.exe.3bcf900.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.2.tKZVPq.exe.3b548e0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase Order.exe.2ea8150.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 19.2.tKZVPq.exe.2a7817c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0110C827 0_2_0110C827
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0110C828 0_2_0110C828
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0110FAB0 0_2_0110FAB0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0110FAA0 0_2_0110FAA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_01109D10 0_2_01109D10
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0110FD8A 0_2_0110FD8A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB1110 0_2_02BB1110
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB27E8 0_2_02BB27E8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB24F0 0_2_02BB24F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB6CE8 0_2_02BB6CE8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB72E7 0_2_02BB72E7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB21E8 0_2_02BB21E8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB1918 0_2_02BB1918
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB1100 0_2_02BB1100
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_02BB27DF 0_2_02BB27DF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E55872 0_2_08E55872
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E5D850 0_2_08E5D850
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E54DF2 0_2_08E54DF2
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E54588 0_2_08E54588
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E5DD00 0_2_08E5DD00
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E536C8 0_2_08E536C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E567D0 0_2_08E567D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E588E0 0_2_08E588E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E588F0 0_2_08E588F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E544DB 0_2_08E544DB
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_08E56C80 0_2_08E56C80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 7_2_011D47A0 7_2_011D47A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 7_2_011D3CCC 7_2_011D3CCC
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 7_2_011D4790 7_2_011D4790
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 7_2_011D5490 7_2_011D5490
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 7_2_011DD820 7_2_011DD820
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_00A7C828 17_2_00A7C828
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_00A7FAA0 17_2_00A7FAA0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_00A7FAB0 17_2_00A7FAB0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_00A79D10 17_2_00A79D10
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02266B48 17_2_02266B48
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02261080 17_2_02261080
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02262758 17_2_02262758
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02266B3A 17_2_02266B3A
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02261070 17_2_02261070
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02261879 17_2_02261879
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02261888 17_2_02261888
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02267148 17_2_02267148
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02262159 17_2_02262159
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_02262748 17_2_02262748
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F5C588 17_2_07F5C588
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F57B90 17_2_07F57B90
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F5BAB0 17_2_07F5BAB0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F588E0 17_2_07F588E0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F52690 17_2_07F52690
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F55568 17_2_07F55568
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F55558 17_2_07F55558
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F54CB8 17_2_07F54CB8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F54CA8 17_2_07F54CA8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F54B48 17_2_07F54B48
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F54B38 17_2_07F54B38
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F559F8 17_2_07F559F8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07F559E8 17_2_07F559E8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA67D0 17_2_07FA67D0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA36C8 17_2_07FA36C8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA4DE8 17_2_07FA4DE8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA4588 17_2_07FA4588
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FADD00 17_2_07FADD00
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA5872 17_2_07FA5872
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FAD850 17_2_07FAD850
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA678B 17_2_07FA678B
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA8F78 17_2_07FA8F78
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA8B48 17_2_07FA8B48
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA8B38 17_2_07FA8B38
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA7727 17_2_07FA7727
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA7718 17_2_07FA7718
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA7708 17_2_07FA7708
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA6709 17_2_07FA6709
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA9A6D 17_2_07FA9A6D
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA8DC0 17_2_07FA8DC0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA8DB0 17_2_07FA8DB0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA3968 17_2_07FA3968
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA88F0 17_2_07FA88F0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA88E0 17_2_07FA88E0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA44DD 17_2_07FA44DD
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA6C80 17_2_07FA6C80
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_00E7C5D0 19_2_00E7C5D0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_00E7FAA0 19_2_00E7FAA0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_00E7FAB0 19_2_00E7FAB0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_00E7FD8A 19_2_00E7FD8A
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_00E79D10 19_2_00E79D10
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A32460 19_2_04A32460
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A32758 19_2_04A32758
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A31080 19_2_04A31080
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A32748 19_2_04A32748
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A32159 19_2_04A32159
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A30D30 19_2_04A30D30
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A31888 19_2_04A31888
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A31879 19_2_04A31879
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_04A33B57 19_2_04A33B57
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_0843D850 19_2_0843D850
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08435872 19_2_08435872
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_0843DD00 19_2_0843DD00
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08434DE8 19_2_08434DE8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08434588 19_2_08434588
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_084336C8 19_2_084336C8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_084367D0 19_2_084367D0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_084388E0 19_2_084388E0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_084388F0 19_2_084388F0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08433968 19_2_08433968
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08439A18 19_2_08439A18
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08438B48 19_2_08438B48
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08438B38 19_2_08438B38
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_084344D8 19_2_084344D8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08436C80 19_2_08436C80
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08438DC0 19_2_08438DC0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08438DB0 19_2_08438DB0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_084366D0 19_2_084366D0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_084376D0 19_2_084376D0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_084376D8 19_2_084376D8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08438F78 19_2_08438F78
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08437708 19_2_08437708
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08437718 19_2_08437718
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 23_2_00F347A0 23_2_00F347A0
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 23_2_00F346B0 23_2_00F346B0
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Purchase Order.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: Purchase Order.exe, 00000000.00000002.383123542.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.383123542.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameaNWASxaOLUDUuWfyRdPyaxGxcwltyjgGnzufI.exe4 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.383066984.0000000002E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.383716260.0000000003236000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.382135462.00000000009E2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameaNWASxaOLUDUuWfyRdPyaxGxcwltyjgGnzufI.exe4 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.389151124.0000000009170000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
Source: Purchase Order.exe, 00000006.00000000.372788358.0000000000342000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
Source: Purchase Order.exe, 00000007.00000000.376065987.0000000000802000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
Source: Purchase Order.exe, 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameaNWASxaOLUDUuWfyRdPyaxGxcwltyjgGnzufI.exe4 vs Purchase Order.exe
Source: Purchase Order.exe, 00000007.00000003.450912799.0000000006396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
Source: Purchase Order.exe Binary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
PE file contains strange resources
Source: Purchase Order.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TRaCepbEuy.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tKZVPq.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Purchase Order.exe Virustotal: Detection: 39%
Source: Purchase Order.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\user\Desktop\Purchase Order.exe Jump to behavior
Source: Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe {path}
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpACD7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpD0CA.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpACD7.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpD0CA.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Roaming\TRaCepbEuy.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Local\Temp\tmp8E57.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.evad.winEXE@20/9@0/0
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2532:120:WilError_01
Source: 7.0.Purchase Order.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Purchase Order.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.Purchase Order.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.Purchase Order.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Purchase Order.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Purchase Order.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_009156A1 pushad ; iretd 0_2_009156C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00914DD9 push esp; ret 0_2_00914DDD
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_011042CB push edi; ret 0_2_011042E2
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_011054E9 push esi; ret 0_2_011054EE
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 6_2_002756A1 pushad ; iretd 6_2_002756C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 6_2_00274DD9 push esp; ret 6_2_00274DDD
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 7_2_00734DD9 push esp; ret 7_2_00734DDD
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 7_2_007356A1 pushad ; iretd 7_2_007356C8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_000156A1 pushad ; iretd 17_2_000156C8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_00014DD9 push esp; ret 17_2_00014DDD
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 17_2_07FA9D25 push es; retf 17_2_07FA9D28
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_005E4DD9 push esp; ret 19_2_005E4DDD
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_005E56A1 pushad ; iretd 19_2_005E56C8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 19_2_08439D25 push es; retf 19_2_08439D28
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 23_2_00F3CF71 push esp; iretd 23_2_00F3CF7D
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 28_2_009F56A1 pushad ; iretd 28_2_009F56C8
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 28_2_009F4DD9 push esp; ret 28_2_009F4DDD
Source: initial sample Static PE information: section name: .text entropy: 7.31350730909
Source: initial sample Static PE information: section name: .text entropy: 7.31350730909
Source: initial sample Static PE information: section name: .text entropy: 7.31350730909

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Jump to dropped file
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Roaming\TRaCepbEuy.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp
Source: C:\Users\user\Desktop\Purchase Order.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 4872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 5416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 3416, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Purchase Order.exe, 00000000.00000002.383123542.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.542476618.000000000243B000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Purchase Order.exe, 00000000.00000002.383123542.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.542476618.000000000243B000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5912 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4480 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 3192 Thread sleep count: 3025 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 3192 Thread sleep count: 6830 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 4324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Purchase Order.exe Window / User API: threadDelayed 3025 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Window / User API: threadDelayed 6830 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase Order.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: tKZVPq.exe, 00000013.00000002.551783085.0000000000EB3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging
barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\Purchase Order.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Purchase Order.exe Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Memory written: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpACD7.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpD0CA.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path} Jump to behavior

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\Purchase Order.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 7.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3fff900.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tKZVPq.exe.35bf900.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tKZVPq.exe.35448e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.tKZVPq.exe.3bcf900.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tKZVPq.exe.35bf900.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.tKZVPq.exe.3bcf900.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.tKZVPq.exe.3b548e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.378482840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.377959898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.535514668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.566073924.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.536182206.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.567278813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 4872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 5416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 3416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 7.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3fff900.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tKZVPq.exe.35bf900.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tKZVPq.exe.35448e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.tKZVPq.exe.3bcf900.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tKZVPq.exe.35bf900.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.tKZVPq.exe.3bcf900.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.tKZVPq.exe.3b548e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.378482840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.377959898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.535514668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.566073924.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.536182206.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.567278813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 4872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 5416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 3416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562512 Sample: Purchase Order.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 12 other signatures 2->59 7 Purchase Order.exe 6 2->7         started        11 tKZVPq.exe 5 2->11         started        13 tKZVPq.exe 4 2->13         started        process3 file4 37 C:\Users\user\AppData\...\TRaCepbEuy.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp8E57.tmp, XML 7->39 dropped 41 C:\Users\user\...\Purchase Order.exe.log, ASCII 7->41 dropped 61 Injects a PE file into a foreign processes 7->61 15 Purchase Order.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        21 Purchase Order.exe 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 23 schtasks.exe 1 11->23         started        25 tKZVPq.exe 11->25         started        27 schtasks.exe 13->27         started        29 tKZVPq.exe 13->29         started        signatures5 process6 file7 43 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 15->43 dropped 45 C:\Windows\System32\drivers\etc\hosts, ASCII 15->45 dropped 47 C:\Users\user\...\tKZVPq.exe:Zone.Identifier, ASCII 15->47 dropped 49 Modifies the hosts file 15->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->51 31 conhost.exe 19->31         started        33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        signatures8 process9
No contacted IP infos