Loading ...

Play interactive tourEdit tour

Analysis Report purchase order.exe

Overview

General Information

Sample Name:purchase order.exe
Analysis ID:255470
MD5:de3e924dfe469d9d7efe3c69ece5af68
SHA1:e1c8598e8308b0effd73af08bc5531f398a0a213
SHA256:9bbebb59b74b06b6d1db59d4d33f0baa4a6d44ec18b51b4ec11b9ae210e8bff8

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM_3
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • purchase order.exe (PID: 6812 cmdline: 'C:\Users\user\Desktop\purchase order.exe' MD5: DE3E924DFE469D9D7EFE3C69ECE5AF68)
    • purchase order.exe (PID: 7160 cmdline: {path} MD5: DE3E924DFE469D9D7EFE3C69ECE5AF68)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 6736 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 5856 cmdline: /c del 'C:\Users\user\Desktop\purchase order.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
purchase order.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x6569e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.266968477.0000000000512000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x6549e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000000.242745115.0000000000512000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x6549e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 28 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.0.purchase order.exe.520000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x6569e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    5.2.purchase order.exe.520000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x6569e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.0.purchase order.exe.510000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x6569e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    4.2.purchase order.exe.390000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x6569e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    4.0.purchase order.exe.390000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x6569e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 7 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Svchost ProcessShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3508, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6736
    Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3508, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6736

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.509126090.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.318882778.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.318318774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.318780033.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.511355117.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.269038154.00000000039BE000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 5.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE
    Machine Learning detection for sampleShow sources
    Source: purchase order.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then pop ebx5_2_00407AC8
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then pop esi5_2_0041737D
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then pop edi5_2_00416D41
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then pop edi5_2_0040E572
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 4x nop then pop edi5_2_00417D89
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx14_2_006C7AC8
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi14_2_006D737D
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi14_2_006CE572
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi14_2_006D6D41
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi14_2_006D7D89
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
    Source: unknownDNS traffic detected: queries for: g.msn.com
    Source: explorer.exe, 00000006.00000000.293568104.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
    Source: explorer.exe, 00000006.00000000.293568104.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.298664738.000000000E929000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
    Source: explorer.exe, 00000006.00000000.293568104.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
    Source: explorer.exe, 00000006.00000000.293568104.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
    Source: explorer.exe, 00000006.00000000.294233246.000000000B1D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
    Source: explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
    Source: purchase order.exe, 00000000.00000002.272551605.0000000006A82000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.294372240.000000000B430000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
    Source: explorer.exe, 00000006.00000000.293752099.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
    Source: purchase order.exe, 00000000.00000002.267610731.0000000000CFA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.509126090.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.318882778.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.318318774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.318780033.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.511355117.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.269038154.00000000039BE000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 5.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000E.00000002.509126090.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000E.00000002.509126090.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000005.00000002.318882778.0000000000B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000005.00000002.318882778.0000000000B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000005.00000002.318318774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000005.00000002.318318774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000005.00000002.318780033.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000005.00000002.318780033.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000E.00000002.511355117.0000000002D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000E.00000002.511355117.0000000002D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000000.00000002.269038154.00000000039BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000000.00000002.269038154.00000000039BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 5.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 5.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 5.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 5.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Executable has a suspicious name (potential lure to open the executable)Show sources
    Source: purchase order.exeStatic file information: Suspicious name
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: purchase order.exe
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00419830 NtCreateFile,5_2_00419830
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_004198E0 NtReadFile,5_2_004198E0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00419960 NtClose,5_2_00419960
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00419A10 NtAllocateVirtualMemory,5_2_00419A10
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_004198DA NtReadFile,5_2_004198DA
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041995C NtClose,5_2_0041995C
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01049910
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010499A0 NtCreateSection,LdrInitializeThunk,5_2_010499A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049840 NtDelayExecution,LdrInitializeThunk,5_2_01049840
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049860 NtQuerySystemInformation,LdrInitializeThunk,5_2_01049860
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010498F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_010498F0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01049A00
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049A20 NtResumeThread,LdrInitializeThunk,5_2_01049A20
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049A50 NtCreateFile,LdrInitializeThunk,5_2_01049A50
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049540 NtReadFile,LdrInitializeThunk,5_2_01049540
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010495D0 NtClose,LdrInitializeThunk,5_2_010495D0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049710 NtQueryInformationToken,LdrInitializeThunk,5_2_01049710
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049780 NtMapViewOfSection,LdrInitializeThunk,5_2_01049780
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010497A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_010497A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01049660
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010496E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_010496E0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049950 NtQueueApcThread,5_2_01049950
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010499D0 NtCreateProcessEx,5_2_010499D0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049820 NtEnumerateKey,5_2_01049820
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0104B040 NtSuspendThread,5_2_0104B040
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010498A0 NtWriteVirtualMemory,5_2_010498A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049B00 NtSetValueKey,5_2_01049B00
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0104A3B0 NtGetContextThread,5_2_0104A3B0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049A10 NtQuerySection,5_2_01049A10
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049A80 NtOpenDirectoryObject,5_2_01049A80
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049520 NtWaitForSingleObject,5_2_01049520
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0104AD30 NtSetContextThread,5_2_0104AD30
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049560 NtWriteFile,5_2_01049560
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010495F0 NtQueryInformationFile,5_2_010495F0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0104A710 NtOpenProcessToken,5_2_0104A710
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049730 NtQueryVirtualMemory,5_2_01049730
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049760 NtOpenProcess,5_2_01049760
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0104A770 NtOpenThread,5_2_0104A770
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049770 NtSetInformationFile,5_2_01049770
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049FE0 NtCreateMutant,5_2_01049FE0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049610 NtEnumerateValueKey,5_2_01049610
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049650 NtQueryValueKey,5_2_01049650
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01049670 NtQueryInformationProcess,5_2_01049670
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010496D0 NtCreateKey,5_2_010496D0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269710 NtQueryInformationToken,LdrInitializeThunk,14_2_03269710
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269780 NtMapViewOfSection,LdrInitializeThunk,14_2_03269780
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269FE0 NtCreateMutant,LdrInitializeThunk,14_2_03269FE0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_03269660
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269650 NtQueryValueKey,LdrInitializeThunk,14_2_03269650
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A50 NtCreateFile,LdrInitializeThunk,14_2_03269A50
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032696E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_032696E0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032696D0 NtCreateKey,LdrInitializeThunk,14_2_032696D0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_03269910
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269540 NtReadFile,LdrInitializeThunk,14_2_03269540
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032699A0 NtCreateSection,LdrInitializeThunk,14_2_032699A0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032695D0 NtClose,LdrInitializeThunk,14_2_032695D0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269860 NtQuerySystemInformation,LdrInitializeThunk,14_2_03269860
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269840 NtDelayExecution,LdrInitializeThunk,14_2_03269840
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269730 NtQueryVirtualMemory,14_2_03269730
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269B00 NtSetValueKey,14_2_03269B00
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326A710 NtOpenProcessToken,14_2_0326A710
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269760 NtOpenProcess,14_2_03269760
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269770 NtSetInformationFile,14_2_03269770
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326A770 NtOpenThread,14_2_0326A770
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032697A0 NtUnmapViewOfSection,14_2_032697A0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326A3B0 NtGetContextThread,14_2_0326A3B0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A20 NtResumeThread,14_2_03269A20
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A00 NtProtectVirtualMemory,14_2_03269A00
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269610 NtEnumerateValueKey,14_2_03269610
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A10 NtQuerySection,14_2_03269A10
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269670 NtQueryInformationProcess,14_2_03269670
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A80 NtOpenDirectoryObject,14_2_03269A80
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269520 NtWaitForSingleObject,14_2_03269520
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326AD30 NtSetContextThread,14_2_0326AD30
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269560 NtWriteFile,14_2_03269560
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269950 NtQueueApcThread,14_2_03269950
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032695F0 NtQueryInformationFile,14_2_032695F0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032699D0 NtCreateProcessEx,14_2_032699D0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269820 NtEnumerateKey,14_2_03269820
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326B040 NtSuspendThread,14_2_0326B040
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032698A0 NtWriteVirtualMemory,14_2_032698A0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032698F0 NtReadVirtualMemory,14_2_032698F0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006D9830 NtCreateFile,14_2_006D9830
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006D98E0 NtReadFile,14_2_006D98E0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006D9960 NtClose,14_2_006D9960
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006D9A10 NtAllocateVirtualMemory,14_2_006D9A10
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006D98DA NtReadFile,14_2_006D98DA
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006D995C NtClose,14_2_006D995C
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_00CDE9180_2_00CDE918
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_00CDE9100_2_00CDE910
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041E0675_2_0041E067
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_004010265_2_00401026
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_004010305_2_00401030
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041D15A5_2_0041D15A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041DA0F5_2_0041DA0F
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041D3195_2_0041D319
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00402D905_2_00402D90
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00409F5B5_2_00409F5B
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00409F605_2_00409F60
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041CF715_2_0041CF71
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00402FB05_2_00402FB0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100F9005_2_0100F900
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010241205_2_01024120
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010C10025_2_010C1002
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101B0905_2_0101B090
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010320A05_2_010320A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D20A85_2_010D20A8
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D28EC5_2_010D28EC
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D2B285_2_010D2B28
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103EBB05_2_0103EBB0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010CDBD25_2_010CDBD2
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D22AE5_2_010D22AE
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D2D075_2_010D2D07
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01000D205_2_01000D20
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D1D555_2_010D1D55
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010325815_2_01032581
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D25DD5_2_010D25DD
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101D5E05_2_0101D5E0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101841F5_2_0101841F
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010CD4665_2_010CD466
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D1FF15_2_010D1FF1
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010CD6165_2_010CD616
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01026E305_2_01026E30
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0325EBB014_2_0325EBB0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032F1FF114_2_032F1FF1
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03246E3014_2_03246E30
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032F22AE14_2_032F22AE
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032F2EF714_2_032F2EF7
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03220D2014_2_03220D20
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0324412014_2_03244120
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0322F90014_2_0322F900
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032F2D0714_2_032F2D07
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032F1D5514_2_032F1D55
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0325258114_2_03252581
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0323D5E014_2_0323D5E0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032E100214_2_032E1002
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0323841F14_2_0323841F
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032520A014_2_032520A0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032F20A814_2_032F20A8
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0323B09014_2_0323B090
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DD15A14_2_006DD15A
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DDA0F14_2_006DDA0F
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DD31914_2_006DD319
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006C2D9014_2_006C2D90
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006C9F6014_2_006C9F60
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DCF7114_2_006DCF71
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006C9F5B14_2_006C9F5B
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006C2FB014_2_006C2FB0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B150 appears 35 times
    Source: C:\Users\user\Desktop\purchase order.exeCode function: String function: 0100B150 appears 35 times
    Source: purchase order.exeBinary or memory string: OriginalFilename vs purchase order.exe
    Source: purchase order.exe, 00000000.00000002.274834302.0000000008BC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs purchase order.exe
    Source: purchase order.exe, 00000000.00000002.268772881.0000000002911000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs purchase order.exe
    Source: purchase order.exe, 00000000.00000002.267610731.0000000000CFA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs purchase order.exe
    Source: purchase order.exeBinary or memory string: OriginalFilename vs purchase order.exe
    Source: purchase order.exeBinary or memory string: OriginalFilename vs purchase order.exe
    Source: purchase order.exe, 00000005.00000002.319184888.0000000000FBB000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs purchase order.exe
    Source: purchase order.exe, 00000005.00000002.319406929.00000000010FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs purchase order.exe
    Source: purchase order.exeBinary or memory string: OriginalFilenamegchUY.exe2 vs purchase order.exe
    Source: purchase order.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.266968477.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000E.00000002.511114379.0000000002D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000000.00000000.242745115.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000004.00000000.265441109.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000E.00000002.509724616.0000000000A12000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000E.00000002.509126090.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000E.00000002.509126090.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000E.00000002.512692570.000000000372F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000005.00000002.318882778.0000000000B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000005.00000002.318882778.0000000000B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000005.00000000.266268907.0000000000522000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000005.00000002.318318774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000005.00000002.318318774.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000005.00000002.318780033.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000005.00000002.318780033.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000E.00000002.511355117.0000000002D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000E.00000002.511355117.0000000002D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000005.00000002.318362040.0000000000522000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.269038154.00000000039BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000000.00000002.269038154.00000000039BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000004.00000002.265677318.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: purchase order.exe PID: 6812, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: purchase order.exe PID: 7160, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: purchase order.exe PID: 7084, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 5.0.purchase order.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 5.2.purchase order.exe.520000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.0.purchase order.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 4.2.purchase order.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 4.0.purchase order.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 5.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 5.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 5.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 5.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0.2.purchase order.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: purchase order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@5/0
    Source: C:\Users\user\Desktop\purchase order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purchase order.exe.logJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_01
    Source: purchase order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\purchase order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\purchase order.exe 'C:\Users\user\Desktop\purchase order.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\purchase order.exe {path}
    Source: unknownProcess created: C:\Users\user\Desktop\purchase order.exe {path}
    Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\purchase order.exeProcess created: C:\Users\user\Desktop\purchase order.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess created: C:\Users\user\Desktop\purchase order.exe {path}Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'Jump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: purchase order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: purchase order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.301924247.000000000F8C0000.00000002.00000001.sdmp
    Source: Binary string: wntdll.pdbUGP source: purchase order.exe, 00000005.00000002.319194489.0000000000FE0000.00000040.00000001.sdmp, svchost.exe, 0000000E.00000002.511784923.0000000003200000.00000040.00000001.sdmp
    Source: Binary string: wntdll.pdb source: purchase order.exe, svchost.exe
    Source: Binary string: svchost.pdb source: purchase order.exe, 00000005.00000002.319134940.0000000000FB0000.00000040.00000001.sdmp
    Source: Binary string: svchost.pdbUGP source: purchase order.exe, 00000005.00000002.319134940.0000000000FB0000.00000040.00000001.sdmp
    Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.301924247.000000000F8C0000.00000002.00000001.sdmp
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_00CDD560 push C3FFFFE9h; ret 0_2_00CDD584
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 0_2_00CDF650 push eax; iretd 0_2_00CDF67D
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0040B00A push D43A13D5h; retf 5_2_0040B00F
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041D15A push 89A24289h; ret 5_2_0041D318
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041DC20 push 423A33DCh; ret 5_2_0041DD4A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_004094F7 push es; iretd 5_2_004094FE
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041C6F2 push eax; ret 5_2_0041C6F8
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041C6FB push eax; ret 5_2_0041C762
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041C6A5 push eax; ret 5_2_0041C6F8
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0041C75C push eax; ret 5_2_0041C762
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0105D0D1 push ecx; ret 5_2_0105D0E4
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0327D0D1 push ecx; ret 14_2_0327D0E4
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006CB00A push D43A13D5h; retf 14_2_006CB00F
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DD15A push 89A24289h; ret 14_2_006DD318
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DDC20 push 423A33DCh; ret 14_2_006DDD4A
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006C94F7 push es; iretd 14_2_006C94FE
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006C8C94 push edx; retn 55C8h14_2_006C8C9E
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DC6FB push eax; ret 14_2_006DC762
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DC6F2 push eax; ret 14_2_006DC6F8
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DC6A5 push eax; ret 14_2_006DC6F8
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_006DC75C push eax; ret 14_2_006DC762
    Source: initial sampleStatic PE information: section name: .text entropy: 7.90683773904

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Modifies the prolog of user mode functions (user mode inline hooks)Show sources
    Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x03 0x36
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM_3Show sources
    Source: Yara matchFile source: Process Memory Space: purchase order.exe PID: 6812, type: MEMORY
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\purchase order.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\purchase order.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 00000000006C98B4 second address: 00000000006C98BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 00000000006C9B1E second address: 00000000006C9B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00409A50 rdtsc 5_2_00409A50
    Source: C:\Users\user\Desktop\purchase order.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\purchase order.exe TID: 6816Thread sleep time: -41000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exe TID: 6840Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 5660Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exe TID: 6752Thread sleep time: -55000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: explorer.exe, 00000006.00000000.291283925.0000000007989000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
    Source: explorer.exe, 00000006.00000000.299296221.000000000EBFA000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000006.00000000.291283925.0000000007989000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000006.00000000.292599051.0000000007CF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: explorer.exe, 00000006.00000000.283309335.00000000040E9000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000006.00000000.291283925.0000000007989000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: explorer.exe, 00000006.00000000.291455048.0000000007A8F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
    Source: explorer.exe, 00000006.00000000.291283925.0000000007989000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: explorer.exe, 00000006.00000000.292599051.0000000007CF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: explorer.exe, 00000006.00000000.292599051.0000000007CF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: purchase order.exe, 00000000.00000002.279239609.00000000090FC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: explorer.exe, 00000006.00000000.291283925.0000000007989000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
    Source: explorer.exe, 00000006.00000000.292599051.0000000007CF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\purchase order.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_00409A50 rdtsc 5_2_00409A50
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0040ADF0 LdrLoadDll,5_2_0040ADF0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01009100 mov eax, dword ptr fs:[00000030h]5_2_01009100
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01009100 mov eax, dword ptr fs:[00000030h]5_2_01009100
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01009100 mov eax, dword ptr fs:[00000030h]5_2_01009100
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01024120 mov eax, dword ptr fs:[00000030h]5_2_01024120
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01024120 mov eax, dword ptr fs:[00000030h]5_2_01024120
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01024120 mov eax, dword ptr fs:[00000030h]5_2_01024120
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01024120 mov eax, dword ptr fs:[00000030h]5_2_01024120
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01024120 mov ecx, dword ptr fs:[00000030h]5_2_01024120
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103513A mov eax, dword ptr fs:[00000030h]5_2_0103513A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103513A mov eax, dword ptr fs:[00000030h]5_2_0103513A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0102B944 mov eax, dword ptr fs:[00000030h]5_2_0102B944
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0102B944 mov eax, dword ptr fs:[00000030h]5_2_0102B944
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100C962 mov eax, dword ptr fs:[00000030h]5_2_0100C962
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100B171 mov eax, dword ptr fs:[00000030h]5_2_0100B171
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100B171 mov eax, dword ptr fs:[00000030h]5_2_0100B171
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0102C182 mov eax, dword ptr fs:[00000030h]5_2_0102C182
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103A185 mov eax, dword ptr fs:[00000030h]5_2_0103A185
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01032990 mov eax, dword ptr fs:[00000030h]5_2_01032990
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010361A0 mov eax, dword ptr fs:[00000030h]5_2_010361A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010361A0 mov eax, dword ptr fs:[00000030h]5_2_010361A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010869A6 mov eax, dword ptr fs:[00000030h]5_2_010869A6
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010851BE mov eax, dword ptr fs:[00000030h]5_2_010851BE
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010851BE mov eax, dword ptr fs:[00000030h]5_2_010851BE
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010851BE mov eax, dword ptr fs:[00000030h]5_2_010851BE
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010851BE mov eax, dword ptr fs:[00000030h]5_2_010851BE
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010941E8 mov eax, dword ptr fs:[00000030h]5_2_010941E8
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100B1E1 mov eax, dword ptr fs:[00000030h]5_2_0100B1E1
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100B1E1 mov eax, dword ptr fs:[00000030h]5_2_0100B1E1
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100B1E1 mov eax, dword ptr fs:[00000030h]5_2_0100B1E1
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D4015 mov eax, dword ptr fs:[00000030h]5_2_010D4015
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D4015 mov eax, dword ptr fs:[00000030h]5_2_010D4015
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01087016 mov eax, dword ptr fs:[00000030h]5_2_01087016
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01087016 mov eax, dword ptr fs:[00000030h]5_2_01087016
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01087016 mov eax, dword ptr fs:[00000030h]5_2_01087016
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101B02A mov eax, dword ptr fs:[00000030h]5_2_0101B02A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101B02A mov eax, dword ptr fs:[00000030h]5_2_0101B02A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101B02A mov eax, dword ptr fs:[00000030h]5_2_0101B02A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101B02A mov eax, dword ptr fs:[00000030h]5_2_0101B02A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103002D mov eax, dword ptr fs:[00000030h]5_2_0103002D
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103002D mov eax, dword ptr fs:[00000030h]5_2_0103002D
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103002D mov eax, dword ptr fs:[00000030h]5_2_0103002D
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103002D mov eax, dword ptr fs:[00000030h]5_2_0103002D
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103002D mov eax, dword ptr fs:[00000030h]5_2_0103002D
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01020050 mov eax, dword ptr fs:[00000030h]5_2_01020050
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01020050 mov eax, dword ptr fs:[00000030h]5_2_01020050
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D1074 mov eax, dword ptr fs:[00000030h]5_2_010D1074
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010C2073 mov eax, dword ptr fs:[00000030h]5_2_010C2073
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01009080 mov eax, dword ptr fs:[00000030h]5_2_01009080
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01083884 mov eax, dword ptr fs:[00000030h]5_2_01083884
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01083884 mov eax, dword ptr fs:[00000030h]5_2_01083884
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010320A0 mov eax, dword ptr fs:[00000030h]5_2_010320A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010320A0 mov eax, dword ptr fs:[00000030h]5_2_010320A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010320A0 mov eax, dword ptr fs:[00000030h]5_2_010320A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010320A0 mov eax, dword ptr fs:[00000030h]5_2_010320A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010320A0 mov eax, dword ptr fs:[00000030h]5_2_010320A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010320A0 mov eax, dword ptr fs:[00000030h]5_2_010320A0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010490AF mov eax, dword ptr fs:[00000030h]5_2_010490AF
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103F0BF mov ecx, dword ptr fs:[00000030h]5_2_0103F0BF
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103F0BF mov eax, dword ptr fs:[00000030h]5_2_0103F0BF
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103F0BF mov eax, dword ptr fs:[00000030h]5_2_0103F0BF
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0109B8D0 mov eax, dword ptr fs:[00000030h]5_2_0109B8D0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0109B8D0 mov ecx, dword ptr fs:[00000030h]5_2_0109B8D0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0109B8D0 mov eax, dword ptr fs:[00000030h]5_2_0109B8D0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0109B8D0 mov eax, dword ptr fs:[00000030h]5_2_0109B8D0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0109B8D0 mov eax, dword ptr fs:[00000030h]5_2_0109B8D0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0109B8D0 mov eax, dword ptr fs:[00000030h]5_2_0109B8D0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010058EC mov eax, dword ptr fs:[00000030h]5_2_010058EC
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010C131B mov eax, dword ptr fs:[00000030h]5_2_010C131B
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100DB40 mov eax, dword ptr fs:[00000030h]5_2_0100DB40
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D8B58 mov eax, dword ptr fs:[00000030h]5_2_010D8B58
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100F358 mov eax, dword ptr fs:[00000030h]5_2_0100F358
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100DB60 mov ecx, dword ptr fs:[00000030h]5_2_0100DB60
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01033B7A mov eax, dword ptr fs:[00000030h]5_2_01033B7A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01033B7A mov eax, dword ptr fs:[00000030h]5_2_01033B7A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010C138A mov eax, dword ptr fs:[00000030h]5_2_010C138A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010BD380 mov ecx, dword ptr fs:[00000030h]5_2_010BD380
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01011B8F mov eax, dword ptr fs:[00000030h]5_2_01011B8F
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01011B8F mov eax, dword ptr fs:[00000030h]5_2_01011B8F
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103B390 mov eax, dword ptr fs:[00000030h]5_2_0103B390
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01032397 mov eax, dword ptr fs:[00000030h]5_2_01032397
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D5BA5 mov eax, dword ptr fs:[00000030h]5_2_010D5BA5
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01034BAD mov eax, dword ptr fs:[00000030h]5_2_01034BAD
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01034BAD mov eax, dword ptr fs:[00000030h]5_2_01034BAD
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01034BAD mov eax, dword ptr fs:[00000030h]5_2_01034BAD
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010853CA mov eax, dword ptr fs:[00000030h]5_2_010853CA
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010853CA mov eax, dword ptr fs:[00000030h]5_2_010853CA
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010303E2 mov eax, dword ptr fs:[00000030h]5_2_010303E2
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010303E2 mov eax, dword ptr fs:[00000030h]5_2_010303E2
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010303E2 mov eax, dword ptr fs:[00000030h]5_2_010303E2
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010303E2 mov eax, dword ptr fs:[00000030h]5_2_010303E2
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010303E2 mov eax, dword ptr fs:[00000030h]5_2_010303E2
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010303E2 mov eax, dword ptr fs:[00000030h]5_2_010303E2
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0102DBE9 mov eax, dword ptr fs:[00000030h]5_2_0102DBE9
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01018A0A mov eax, dword ptr fs:[00000030h]5_2_01018A0A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01005210 mov eax, dword ptr fs:[00000030h]5_2_01005210
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01005210 mov ecx, dword ptr fs:[00000030h]5_2_01005210
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01005210 mov eax, dword ptr fs:[00000030h]5_2_01005210
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01005210 mov eax, dword ptr fs:[00000030h]5_2_01005210
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100AA16 mov eax, dword ptr fs:[00000030h]5_2_0100AA16
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100AA16 mov eax, dword ptr fs:[00000030h]5_2_0100AA16
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01023A1C mov eax, dword ptr fs:[00000030h]5_2_01023A1C
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01044A2C mov eax, dword ptr fs:[00000030h]5_2_01044A2C
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01044A2C mov eax, dword ptr fs:[00000030h]5_2_01044A2C
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01009240 mov eax, dword ptr fs:[00000030h]5_2_01009240
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01009240 mov eax, dword ptr fs:[00000030h]5_2_01009240
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01009240 mov eax, dword ptr fs:[00000030h]5_2_01009240
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01009240 mov eax, dword ptr fs:[00000030h]5_2_01009240
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010CEA55 mov eax, dword ptr fs:[00000030h]5_2_010CEA55
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01094257 mov eax, dword ptr fs:[00000030h]5_2_01094257
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010BB260 mov eax, dword ptr fs:[00000030h]5_2_010BB260
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010BB260 mov eax, dword ptr fs:[00000030h]5_2_010BB260
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010D8A62 mov eax, dword ptr fs:[00000030h]5_2_010D8A62
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0104927A mov eax, dword ptr fs:[00000030h]5_2_0104927A
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103D294 mov eax, dword ptr fs:[00000030h]5_2_0103D294
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103D294 mov eax, dword ptr fs:[00000030h]5_2_0103D294
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010052A5 mov eax, dword ptr fs:[00000030h]5_2_010052A5
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010052A5 mov eax, dword ptr fs:[00000030h]5_2_010052A5
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010052A5 mov eax, dword ptr fs:[00000030h]5_2_010052A5
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010052A5 mov eax, dword ptr fs:[00000030h]5_2_010052A5
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_010052A5 mov eax, dword ptr fs:[00000030h]5_2_010052A5
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101AAB0 mov eax, dword ptr fs:[00000030h]5_2_0101AAB0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0101AAB0 mov eax, dword ptr fs:[00000030h]5_2_0101AAB0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0103FAB0 mov eax, dword ptr fs:[00000030h]5_2_0103FAB0
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01032ACB mov eax, dword ptr fs:[00000030h]5_2_01032ACB
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01032AE4 mov eax, dword ptr fs:[00000030h]5_2_01032AE4
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_0100AD30 mov eax, dword ptr fs:[00000030h]5_2_0100AD30
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01013D34 mov eax, dword ptr fs:[00000030h]5_2_01013D34
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01013D34 mov eax, dword ptr fs:[00000030h]5_2_01013D34
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01013D34 mov eax, dword ptr fs:[00000030h]5_2_01013D34
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01013D34 mov eax, dword ptr fs:[00000030h]5_2_01013D34
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01013D34 mov eax, dword ptr fs:[00000030h]5_2_01013D34
    Source: C:\Users\user\Desktop\purchase order.exeCode function: 5_2_01013D34 mov eax, dword ptr fs:[00000030h]5_2_01013D34