Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample Name: Purchase Order.exe
Analysis ID: 618941
MD5: d88a146f731e00b42947ec060f3d4f43
SHA1: 46243e85f209fdb306affd5eefb9ffe5fa3d2614
SHA256: d08b7126b81c09be7e54774cc35399faceef0c2d4732cbbca5d46c48d89a2f51
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: MSBuild connects to smtp port
Yara detected MSILDownloaderGeneric
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code contains potential unpacker
Yara detected Generic Downloader
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 0.2.Purchase Order.exe.3a8cae8.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "finans@pilotgarage.com", "Password": "Fnns01Pg16", "Host": "mail.pilotgarage.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe ReversingLabs: Detection: 30%
Antivirus or Machine Learning detection for unpacked file
Source: 17.2.MSBuild.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: Purchase Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
Yara detected MSILDownloaderGeneric
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 1800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Puizg.exe PID: 7008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Puizg.exe PID: 7144, type: MEMORYSTR
Yara detected Generic Downloader
Source: Yara match File source: Purchase Order.exe, type: SAMPLE
Source: Yara match File source: 20.2.Puizg.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Purchase Order.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Puizg.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Puizg.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Puizg.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe, type: DROPPED
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/968108194327052308/970585558680223784/Nqdkg_Cbadgewx.png HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/968108194327052308/970585558680223784/Nqdkg_Cbadgewx.png HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/968108194327052308/970585558680223784/Nqdkg_Cbadgewx.png HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 5.250.241.50:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 5.250.241.50:587
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.143
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.143
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.143
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 8.248.119.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 8.248.119.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 8.248.119.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 8.248.119.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 8.248.119.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 8.248.119.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 8.248.119.254
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.4
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: MSBuild.exe, 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DGeKzF.com
Source: MSBuild.exe, 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: MSBuild.exe, 00000011.00000003.399413894.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.507075685.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: Purchase Order.exe, 00000000.00000002.371341648.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000014.00000002.515244833.0000000007D4D000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000017.00000002.505962003.0000000000A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: MSBuild.exe, 00000011.00000002.514320253.0000000006D20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.514404668.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: MSBuild.exe, 00000011.00000003.399506680.00000000064AA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: MSBuild.exe, 00000011.00000003.398032121.0000000006466000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398159493.0000000006466000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.513627151.0000000006466000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: MSBuild.exe, 00000011.00000003.398014139.0000000006461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: MSBuild.exe, 00000011.00000003.399232389.000000000640C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: MSBuild.exe, 00000011.00000002.507075685.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: MSBuild.exe, 00000011.00000003.399569476.0000000006446000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.514663207.0000000006DE6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399483394.0000000006DE3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.513705001.000000000647F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398047213.0000000006DD8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.17.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: MSBuild.exe, 00000011.00000003.395492740.000000000647F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.396384984.000000000647F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?108821fec9101
Source: MSBuild.exe, 00000011.00000003.398325450.0000000006D3B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: MSBuild.exe, 00000011.00000003.398325450.0000000006D3B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.514404668.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.514404668.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: MSBuild.exe, 00000011.00000003.399413894.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: MSBuild.exe, 00000011.00000003.399506680.00000000064AA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.pilotgarage.com
Source: MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: MSBuild.exe, 00000011.00000003.398325450.0000000006D3B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: MSBuild.exe, 00000011.00000003.399451261.0000000006D38000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399030833.0000000006D35000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: MSBuild.exe, 00000011.00000003.399208416.0000000006D28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399413894.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: MSBuild.exe, 00000011.00000003.399506680.00000000064AA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.507075685.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0f
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.507075685.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399208416.0000000006D28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: Purchase Order.exe, 00000000.00000002.371704662.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000014.00000002.507585311.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000017.00000002.507971683.0000000002681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: MSBuild.exe, 00000011.00000003.399208416.0000000006D28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: MSBuild.exe, 00000011.00000003.399451261.0000000006D38000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399030833.0000000006D35000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: MSBuild.exe, 00000011.00000003.399451261.0000000006D38000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399030833.0000000006D35000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: MSBuild.exe, 00000011.00000003.399506680.00000000064AA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: MSBuild.exe, 00000011.00000003.399506680.00000000064AA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.514404668.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: MSBuild.exe, 00000011.00000003.399506680.00000000064AA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398014139.0000000006461000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.513615137.0000000006464000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398995729.0000000006D2C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: MSBuild.exe, 00000011.00000003.399105815.0000000006D60000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.514457454.0000000006D63000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: MSBuild.exe, 00000011.00000003.399451261.0000000006D38000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399030833.0000000006D35000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: MSBuild.exe, 00000011.00000003.398047213.0000000006DD8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398047213.0000000006DD8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.eme.lv/repository0
Source: MSBuild.exe, 00000011.00000003.399105815.0000000006D60000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: MSBuild.exe, 00000011.00000003.398014139.0000000006461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oaticerts.com/repository.
Source: MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: MSBuild.exe, 00000011.00000003.398206126.0000000006449000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: MSBuild.exe, 00000011.00000003.399208416.0000000006D28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: MSBuild.exe, 00000011.00000003.399208416.0000000006D28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: MSBuild.exe, 00000011.00000003.398032121.0000000006466000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398159493.0000000006466000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: MSBuild.exe, 00000011.00000003.399413894.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: MSBuild.exe, 00000011.00000003.398995729.0000000006D2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.rcsc.lt/repository0
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: MSBuild.exe, 00000011.00000003.398014139.0000000006461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: MSBuild.exe, 00000011.00000003.398014139.0000000006461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398014139.0000000006461000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399413894.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.399413894.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: MSBuild.exe, 00000011.00000003.398014139.0000000006461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Purchase Order.exe, 00000000.00000002.373822257.0000000006B92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: MSBuild.exe, 00000011.00000003.399053031.0000000006D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: MSBuild.exe, 00000011.00000002.513485610.00000000063B0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.509801704.0000000003357000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Purchase Order.exe, 00000000.00000002.371704662.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000014.00000002.507585311.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000017.00000002.507971683.0000000002681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: Puizg.exe, Puizg.exe, 00000017.00000000.408987294.0000000000282000.00000002.00000001.01000000.0000000A.sdmp, Puizg.exe, 00000017.00000002.507971683.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, Puizg.exe.0.dr String found in binary or memory: https://cdn.discordapp.com/attachments/968108194327052308/970585558680223784/Nqdkg_Cbadgewx.png
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MSBuild.exe, 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eD1SuZymOZStl.or
Source: MSBuild.exe, 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eD1SuZymOZStl.org
Source: MSBuild.exe, 00000011.00000003.398325450.0000000006D3B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398231155.0000000006D2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eca.hinet.net/repository0
Source: MSBuild.exe, 00000011.00000003.399413894.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: Purchase Order.exe, 00000000.00000002.371780538.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000014.00000002.508311794.0000000003307000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000017.00000002.508643864.0000000002755000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Purchase Order.exe, 00000000.00000002.371780538.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000014.00000002.508311794.0000000003307000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000017.00000002.508643864.0000000002755000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Purchase Order.exe, 00000000.00000002.371780538.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000014.00000002.508311794.0000000003307000.00000004.00000800.00020000.00000000.sdmp, Puizg.exe, 00000017.00000002.508643864.0000000002755000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: MSBuild.exe, 00000011.00000003.398106072.0000000006454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: MSBuild.exe, 00000011.00000003.398694540.0000000006D42000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398883491.0000000006D4A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.398338255.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: MSBuild.exe, 00000011.00000003.397864043.000000000647A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: MSBuild.exe, 00000011.00000003.397864043.000000000647A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: MSBuild.exe, 00000011.00000003.397677340.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: MSBuild.exe, 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: MSBuild.exe, 00000011.00000003.397824150.000000000646C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/968108194327052308/970585558680223784/Nqdkg_Cbadgewx.png HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/968108194327052308/970585558680223784/Nqdkg_Cbadgewx.png HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/968108194327052308/970585558680223784/Nqdkg_Cbadgewx.png HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49775 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: Purchase Order.exe, 00000000.00000002.371300028.0000000000E60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Purchase Order.exe.3adcb08.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.3a8cae8.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.3a64ac8.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.3a8cae8.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Purchase Order.exe.3adcb08.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.3.Purchase Order.exe.3ccafd0.1.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.Purchase Order.exe.3ccafd0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.Purchase Order.exe.3a99990.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 20.2.Puizg.exe.4319990.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 23.2.Puizg.exe.3769990.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 23.2.Puizg.exe.3769990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 23.2.Puizg.exe.36e9970.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 20.2.Puizg.exe.4319990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 20.2.Puizg.exe.4299970.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.Purchase Order.exe.3a99990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 20.2.Puizg.exe.4259950.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 23.2.Puizg.exe.36a9950.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.Purchase Order.exe.3a19970.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order.exe
.NET source code contains very large array initializations
Source: 17.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b37095B3Cu002dAC8Fu002d4F34u002d92E4u002dF9E61206C529u007d/u00392E28B4Bu002d4E3Eu002d4417u002dA852u002dA3F58E93A3A4.cs Large array initialization: .cctor: array initializer size 11626
Executable has a suspicious name (potential lure to open the executable)
Source: Purchase Order.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: Purchase Order.exe, type: SAMPLE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 20.2.Puizg.exe.fa0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.Purchase Order.exe.740000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.Purchase Order.exe.740000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 23.0.Puizg.exe.280000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 20.0.Puizg.exe.fa0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.Purchase Order.exe.3adcb08.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase Order.exe.3a8cae8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase Order.exe.3a64ac8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase Order.exe.3a8cae8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Purchase Order.exe.3adcb08.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 23.2.Puizg.exe.280000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.3.Purchase Order.exe.3ccafd0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.Purchase Order.exe.3ccafd0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.Purchase Order.exe.3a99990.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 20.2.Puizg.exe.4319990.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 23.2.Puizg.exe.3769990.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 23.2.Puizg.exe.3769990.2.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 23.2.Puizg.exe.3769990.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 23.2.Puizg.exe.36e9970.1.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 23.2.Puizg.exe.36e9970.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 20.2.Puizg.exe.4319990.2.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 20.2.Puizg.exe.4319990.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 20.2.Puizg.exe.4299970.1.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 20.2.Puizg.exe.4299970.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.Purchase Order.exe.3a99990.2.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0.3.Purchase Order.exe.3a99990.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 20.2.Puizg.exe.4259950.3.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 20.2.Puizg.exe.4259950.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 23.2.Puizg.exe.36a9950.3.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 23.2.Puizg.exe.36a9950.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.Purchase Order.exe.3a19970.0.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0.3.Purchase Order.exe.3a19970.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0074210A 0_2_0074210A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0126C164 0_2_0126C164
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0126E5A0 0_2_0126E5A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0126E5B0 0_2_0126E5B0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_080DE228 0_2_080DE228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_02F3F3C8 17_2_02F3F3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_02F3F080 17_2_02F3F080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_02F36120 17_2_02F36120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_0656B750 17_2_0656B750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06566173 17_2_06566173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06565870 17_2_06565870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06563330 17_2_06563330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_0656CFF8 17_2_0656CFF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_0656CFA8 17_2_0656CFA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06569DE0 17_2_06569DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06898508 17_2_06898508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06896550 17_2_06896550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_0689F368 17_2_0689F368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_068970F8 17_2_068970F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06899FC0 17_2_06899FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_0689BC10 17_2_0689BC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06892AB8 17_2_06892AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06892B58 17_2_06892B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06891878 17_2_06891878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_068983B9 17_2_068983B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_0689BBAC 17_2_0689BBAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06944280 17_2_06944280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_069416C8 17_2_069416C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06948220 17_2_06948220
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Code function: 20_2_00FA210A 20_2_00FA210A
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Code function: 20_2_0308C164 20_2_0308C164
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Code function: 20_2_0308E5A0 20_2_0308E5A0
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Code function: 20_2_0308E5B0 20_2_0308E5B0
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Code function: 23_2_0028210A 23_2_0028210A
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Code function: 23_2_06763750 23_2_06763750
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Code function: 23_2_0676C8B8 23_2_0676C8B8
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Code function: 23_2_0676C8A8 23_2_0676C8A8
Sample file is different than original file name gathered from version info
Source: Purchase Order.exe, 00000000.00000002.371899368.0000000002B15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQHVMyeBHFDdIOlKMOqpBtYESXmYzDcD.exe4 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000003.366740996.00000000039E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXlwiuzuhblbjndopficwsye.dll" vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.371300028.0000000000E60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000000.237791318.0000000000746000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNqdkg.exe0 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.372147247.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQHVMyeBHFDdIOlKMOqpBtYESXmYzDcD.exe4 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.372093079.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQHVMyeBHFDdIOlKMOqpBtYESXmYzDcD.exe4 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000003.306760111.0000000003EEB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXlwiuzuhblbjndopficwsye.dll" vs Purchase Order.exe
Source: Purchase Order.exe Binary or memory string: OriginalFilenameNqdkg.exe0 vs Purchase Order.exe
PE file contains strange resources
Source: Purchase Order.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Puizg.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\user\Desktop\Purchase Order.exe Jump to behavior
Source: Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe "C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe "C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe"
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Roaming\Oarkzlb Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@22/5@5/4
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_01
Source: 17.2.MSBuild.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 17.2.MSBuild.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Purchase Order.exe, Form3.cs .Net Code: button1_Click System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Puizg.exe.0.dr, Form3.cs .Net Code: button1_Click System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Purchase Order.exe.740000.0.unpack, Form3.cs .Net Code: button1_Click System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Purchase Order.exe.740000.0.unpack, Form3.cs .Net Code: button1_Click System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 20.2.Puizg.exe.fa0000.0.unpack, Form3.cs .Net Code: button1_Click System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 20.0.Puizg.exe.fa0000.0.unpack, Form3.cs .Net Code: button1_Click System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 23.0.Puizg.exe.280000.0.unpack, Form3.cs .Net Code: button1_Click System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 23.2.Puizg.exe.280000.0.unpack, Form3.cs .Net Code: button1_Click System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_01261C58 push ebx; iretd 0_2_01261C7A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_07C12CDC push eax; ret 0_2_07C12CDD
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_07C101FE push cs; ret 0_2_07C10202
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_080D2CA9 push ecx; ret 0_2_080D2CAC
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_080D07E7 push 8B039B89h; retf 0_2_080D07EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_065697E9 push es; retf 17_2_06569838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_065692C3 push 8B000003h; iretd 17_2_065692CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06563330 push es; iretd 17_2_065641D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06563330 push es; iretd 17_2_065641E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06560040 pushfd ; retf 17_2_06560D81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06562177 push edi; retn 0000h 17_2_06562179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_065641D1 push es; iretd 17_2_065641D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_065641D9 push es; iretd 17_2_065641E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06569841 push es; retf 17_2_06569838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_065618F6 push es; ret 17_2_06561910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_065618BD push es; ret 17_2_065618C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_065618AA push es; ret 17_2_065618C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06561909 push es; ret 17_2_06561910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_0689DF58 push es; retf 17_2_0689DF5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06940040 push es; retf 17_2_06941040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06941599 push es; retf 17_2_069415A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_0694158D push es; retf 17_2_06941594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06941291 push es; retf 17_2_0694129C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_069412A1 push es; retf 17_2_069412A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_069412ED push es; retf 17_2_069412F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_069413D1 push es; retf 17_2_069413D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_069413C1 push es; retf 17_2_069413CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06941339 push es; retf 17_2_06941340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06941329 push es; retf 17_2_06941338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06941375 push es; retf 17_2_0694138C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06941045 push es; retf 17_2_06941048
Binary contains a suspicious time stamp
Source: Purchase Order.exe Static PE information: 0x911D7309 [Sun Feb 24 13:05:13 2047 UTC]
Drops PE files
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Jump to dropped file
Source: C:\Users\user\Desktop\Purchase Order.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Puizg Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Puizg Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (92).png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 6164 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5852 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6460 Thread sleep count: 168 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6740 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6744 Thread sleep count: 5417 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6744 Thread sleep count: 3228 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6676 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3372 Thread sleep count: 112 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3684 Thread sleep count: 57 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 5417 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3228 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase Order.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000011.00000003.394872039.0000000006494000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.395492740.000000000647F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.513705001.000000000647F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.397896256.000000000647F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.396384984.000000000647F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.507075685.000000000145C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.394842655.0000000006486000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Purchase Order.exe, 00000000.00000002.371341648.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, Puizg.exe, 00000017.00000002.505962003.0000000000A04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Puizg.exe, 00000017.00000002.514910753.0000000007280000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\f
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 17_2_06895308 LdrInitializeThunk, 17_2_06895308
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Queries volume information: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Queries volume information: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oarkzlb\Puizg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Purchase Order.exe.3adcb08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3a8cae8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3a64ac8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3a8cae8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3adcb08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.504132970.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.372147247.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.372093079.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.372017902.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 1800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6644, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6644, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Purchase Order.exe.3adcb08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3a8cae8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3a64ac8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3a8cae8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3adcb08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.504132970.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.372147247.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.372093079.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.372017902.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.508094226.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 1800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 6644, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 618941 Sample: Purchase Order.exe Startdate: 02/05/2022 Architecture: WINDOWS Score: 100 47 mail.pilotgarage.com 2->47 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->71 73 8 other signatures 2->73 8 Purchase Order.exe 16 7 2->8         started        12 Puizg.exe 14 3 2->12         started        15 Puizg.exe 3 2->15         started        signatures3 process4 dnsIp5 49 cdn.discordapp.com 162.159.129.233, 443, 49760 CLOUDFLARENETUS United States 8->49 41 C:\Users\user\AppData\Roaming\...\Puizg.exe, PE32 8->41 dropped 43 C:\Users\user\...\Purchase Order.exe.log, ASCII 8->43 dropped 17 MSBuild.exe 2 8->17         started        21 MSBuild.exe 8->21         started        23 cmd.exe 1 8->23         started        51 162.159.130.233, 443, 49774, 49775 CLOUDFLARENETUS United States 12->51 75 Multi AV Scanner detection for dropped file 12->75 25 cmd.exe 12->25         started        53 192.168.2.1 unknown unknown 15->53 27 cmd.exe 15->27         started        file6 signatures7 process8 dnsIp9 45 mail.pilotgarage.com 5.250.241.50, 49771, 49791, 587 AYSIMATR Turkey 17->45 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->55 57 Tries to steal Mail credentials (via file / registry access) 17->57 59 Tries to harvest and steal ftp login credentials 17->59 61 Tries to harvest and steal browser information (history, passwords, etc) 17->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->65 29 conhost.exe 23->29         started        31 timeout.exe 1 23->31         started        33 conhost.exe 25->33         started        35 timeout.exe 25->35         started        37 conhost.exe 27->37         started        39 timeout.exe 27->39         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.130.233
 unknown United States
13335 CLOUDFLARENETUS false
162.159.129.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
5.250.241.50
 mail.pilotgarage.com Turkey
59674 AYSIMATR true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.129.233 true
mail.pilotgarage.com 5.250.241.50 true