Loading ...

Play interactive tourEdit tour

Analysis Report purchase order (2).exe

Overview

General Information

Sample Name:purchase order (2).exe
Analysis ID:289540
MD5:3b82ec5db945c6ec405ccc6bd6079e6a
SHA1:fe1bef4b53ffedd007e9fe294c63f3d4f535e88b
SHA256:ae98cbea751b110688b554259e94536ad47799d68af23f5c499f0021c09861b0
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • purchase order (2).exe (PID: 6836 cmdline: 'C:\Users\user\Desktop\purchase order (2).exe' MD5: 3B82EC5DB945C6EC405CCC6BD6079E6A)
    • schtasks.exe (PID: 6924 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp3E7F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • purchase order (2).exe (PID: 6968 cmdline: {path} MD5: 3B82EC5DB945C6EC405CCC6BD6079E6A)
      • reg.exe (PID: 5604 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • gKWBf.exe (PID: 1544 cmdline: 'C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe' MD5: 3B82EC5DB945C6EC405CCC6BD6079E6A)
    • schtasks.exe (PID: 644 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmpFF3E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gKWBf.exe (PID: 4640 cmdline: {path} MD5: 3B82EC5DB945C6EC405CCC6BD6079E6A)
      • reg.exe (PID: 5384 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • gKWBf.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe' MD5: 3B82EC5DB945C6EC405CCC6BD6079E6A)
    • schtasks.exe (PID: 4076 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp1FB7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gKWBf.exe (PID: 3052 cmdline: {path} MD5: 3B82EC5DB945C6EC405CCC6BD6079E6A)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "RLKK3n", "URL: ": "https://4dC7XVwB2QG.org", "To: ": "ytservice@yitaipackaging.com", "ByHost: ": "mail.yitaipackaging.com:587", "Password: ": "AeKUnig", "From: ": "ytservice@yitaipackaging.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.328189078.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.435774933.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000C.00000002.307510482.00000000037C9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000014.00000002.322478545.0000000004059000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.443901994.0000000002A06000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.purchase order (2).exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              21.2.gKWBf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                24.2.gKWBf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp3E7F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp3E7F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\purchase order (2).exe' , ParentImage: C:\Users\user\Desktop\purchase order (2).exe, ParentProcessId: 6836, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp3E7F.tmp', ProcessId: 6924

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: purchase order (2).exeAvira: detected
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\YKtXZOWu.exeAvira: detection malicious, Label: TR/Kryptik.etnwt
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeAvira: detection malicious, Label: TR/Kryptik.etnwt
                  Found malware configurationShow sources
                  Source: purchase order (2).exe.6968.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "RLKK3n", "URL: ": "https://4dC7XVwB2QG.org", "To: ": "ytservice@yitaipackaging.com", "ByHost: ": "mail.yitaipackaging.com:587", "Password: ": "AeKUnig", "From: ": "ytservice@yitaipackaging.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\YKtXZOWu.exeVirustotal: Detection: 60%Perma Link
                  Source: C:\Users\user\AppData\Roaming\YKtXZOWu.exeReversingLabs: Detection: 41%
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeVirustotal: Detection: 60%Perma Link
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeReversingLabs: Detection: 41%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: purchase order (2).exeVirustotal: Detection: 60%Perma Link
                  Source: purchase order (2).exeReversingLabs: Detection: 41%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\YKtXZOWu.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: purchase order (2).exeJoe Sandbox ML: detected
                  Source: 3.2.purchase order (2).exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 21.2.gKWBf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 24.2.gKWBf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49734 -> 35.213.167.237:587
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49738 -> 35.213.167.237:587
                  Source: global trafficTCP traffic: 192.168.2.5:49734 -> 35.213.167.237:587
                  Source: Joe Sandbox ViewIP Address: 35.213.167.237 35.213.167.237
                  Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
                  Source: global trafficTCP traffic: 192.168.2.5:49734 -> 35.213.167.237:587
                  Source: unknownDNS traffic detected: queries for: mail.yitaipackaging.com
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: purchase order (2).exe, 00000003.00000002.444569815.0000000002B2E000.00000004.00000001.sdmp, gKWBf.exe, 00000015.00000002.445451555.0000000002DF6000.00000004.00000001.sdmpString found in binary or memory: http://mail.yitaipackaging.com
                  Source: purchase order (2).exe, 00000000.00000002.196726007.0000000002EDF000.00000004.00000001.sdmp, gKWBf.exe, 0000000C.00000002.303254558.0000000002A91000.00000004.00000001.sdmp, gKWBf.exe, 00000014.00000002.317436291.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: purchase order (2).exe, 00000000.00000002.204884317.0000000005980000.00000002.00000001.sdmp, gKWBf.exe, 0000000C.00000002.310337301.0000000005440000.00000002.00000001.sdmp, gKWBf.exe, 00000014.00000002.324361939.0000000005F10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: purchase order (2).exe, 00000003.00000002.444569815.0000000002B2E000.00000004.00000001.sdmp, gKWBf.exe, 00000015.00000002.445451555.0000000002DF6000.00000004.00000001.sdmpString found in binary or memory: http://yitaipackaging.com
                  Source: gKWBf.exe, 00000015.00000002.444100910.0000000002CD2000.00000004.00000001.sdmpString found in binary or memory: https://4dC7XVwB2QG.org

                  Spam, unwanted Advertisements and Ransom Demands:

                  barindex
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary:

                  barindex
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: purchase order (2).exe
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B0F880_2_0C9B0F88
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B6F350_2_0C9B6F35
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B4F700_2_0C9B4F70
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B1B380_2_0C9B1B38
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B46D00_2_0C9B46D0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B26080_2_0C9B2608
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B22400_2_0C9B2240
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B4CB00_2_0C9B4CB0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B4CC00_2_0C9B4CC0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B1C3B0_2_0C9B1C3B
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B1D990_2_0C9B1D99
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B1E0B0_2_0C9B1E0B
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B1FB80_2_0C9B1FB8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B1F130_2_0C9B1F13
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B0F480_2_0C9B0F48
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B4F600_2_0C9B4F60
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B09880_2_0C9B0988
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B09810_2_0C9B0981
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B8A180_2_0C9B8A18
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B1B280_2_0C9B1B28
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B46C10_2_0C9B46C1
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B00070_2_0C9B0007
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B00400_2_0C9B0040
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B51D80_2_0C9B51D8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B51D30_2_0C9B51D3
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B71190_2_0C9B7119
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B41380_2_0C9B4138
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B41320_2_0C9B4132
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B22320_2_0C9B2232
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B53C60_2_0C9B53C6
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_00F3FC183_2_00F3FC18
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_029483303_2_02948330
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_029400403_2_02940040
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0294C9D03_2_0294C9D0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_02942FC03_2_02942FC0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_02941DCC3_2_02941DCC
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_029483203_2_02948320
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_029400063_2_02940006
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_029407E83_2_029407E8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0294C9C13_2_0294C9C1
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_02942F523_2_02942F52
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_029477C43_2_029477C4
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0294783F3_2_0294783F
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_02943CB03_2_02943CB0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_02947D723_2_02947D72
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060B82303_2_060B8230
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060BA2783_2_060BA278
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060BAF303_2_060BAF30
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060B87503_2_060B8750
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060BDF903_2_060BDF90
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060BEBA83_2_060BEBA8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060B00403_2_060B0040
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060BA2683_2_060BA268
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060B87413_2_060B8741
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060B8CAD3_2_060B8CAD
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060B74B03_2_060B74B0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060BBCF13_2_060BBCF1
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060B89303_2_060B8930
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060BD9603_2_060BD960
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0613E6D03_2_0613E6D0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0613C7023_2_0613C702
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0613AD083_2_0613AD08
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061345F83_2_061345F8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_06131A703_2_06131A70
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_06138B183_2_06138B18
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061388283_2_06138828
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061390E83_2_061390E8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061369503_2_06136950
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0613E6C43_2_0613E6C4
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0613CF893_2_0613CF89
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_06134C9E3_2_06134C9E
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0613ACF83_2_0613ACF8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061345E83_2_061345E8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_06134A563_2_06134A56
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061372973_2_06137297
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_06138B083_2_06138B08
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_06136B503_2_06136B50
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_06138B9B3_2_06138B9B
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061363BC3_2_061363BC
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0613881B3_2_0613881B
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061348263_2_06134826
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061390DB3_2_061390DB
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061380DF3_2_061380DF
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061380F03_2_061380F0
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061348EE3_2_061348EE
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061369403_2_06136940
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061329D83_2_061329D8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061329E83_2_061329E8
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061DB6083_2_061DB608
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_061D66F83_2_061D66F8
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0233E45812_2_0233E458
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0233E44812_2_0233E448
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0233B7FC12_2_0233B7FC
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED239812_2_0BED2398
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED0F8812_2_0BED0F88
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED276012_2_0BED2760
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED6F3412_2_0BED6F34
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED173012_2_0BED1730
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED4CC012_2_0BED4CC0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED442012_2_0BED4420
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED238B12_2_0BED238B
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED429012_2_0BED4290
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED4A0012_2_0BED4A00
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED4A1012_2_0BED4A10
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED098812_2_0BED0988
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED198212_2_0BED1982
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED419912_2_0BED4199
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED097812_2_0BED0978
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED511612_2_0BED5116
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED187912_2_0BED1879
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED004012_2_0BED0040
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED87D912_2_0BED87D9
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED0F4812_2_0BED0F48
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED4F2812_2_0BED4F28
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED172012_2_0BED1720
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED4F1912_2_0BED4F19
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED4CB012_2_0BED4CB0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED441112_2_0BED4411
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_02C4E44820_2_02C4E448
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_02C4E45820_2_02C4E458
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_02C4B7FC20_2_02C4B7FC
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07474F7020_2_07474F70
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07476F3520_2_07476F35
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07470F8820_2_07470F88
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747260820_2_07472608
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_074746D020_2_074746D0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07471B3820_2_07471B38
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747224020_2_07472240
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07470F4820_2_07470F48
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07474F6020_2_07474F60
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07471E0B20_2_07471E0B
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_074746C120_2_074746C1
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07471D7520_2_07471D75
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07471C3B20_2_07471C3B
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07474CC020_2_07474CC0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07474CB020_2_07474CB0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07471B2820_2_07471B28
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_074753C620_2_074753C6
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07478A1820_2_07478A18
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747223320_2_07472233
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747097820_2_07470978
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747711920_2_07477119
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747413820_2_07474138
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_074751C920_2_074751C9
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_074751D820_2_074751D8
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747098820_2_07470988
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747004020_2_07470040
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_0747001D20_2_0747001D
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_074740B520_2_074740B5
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0112FC1821_2_0112FC18
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0112FC0921_2_0112FC09
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD833021_2_02BD8330
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD004021_2_02BD0040
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD24E021_2_02BD24E0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BDC9D021_2_02BDC9D0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD2FC021_2_02BD2FC0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD1DCC21_2_02BD1DCC
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD832021_2_02BD8320
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD000621_2_02BD0006
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BDC9C121_2_02BDC9C1
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD2F5221_2_02BD2F52
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD77C421_2_02BD77C4
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD783F21_2_02BD783F
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD3CB021_2_02BD3CB0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD1DC721_2_02BD1DC7
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BD7D7221_2_02BD7D72
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0560EBA821_2_0560EBA8
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0560D96021_2_0560D960
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0560004021_2_05600040
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_05609C4021_2_05609C40
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0560AF3021_2_0560AF30
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0560DF9021_2_0560DF90
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0560A26821_2_0560A268
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0560A27821_2_0560A278
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606E6D021_2_0606E6D0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606C70221_2_0606C702
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606571021_2_06065710
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606AD0821_2_0606AD08
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060645F821_2_060645F8
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06061A7021_2_06061A70
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06068B1821_2_06068B18
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606882821_2_06068828
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060690E821_2_060690E8
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606695021_2_06066950
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606E6C421_2_0606E6C4
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606570121_2_06065701
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606CF8921_2_0606CF89
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06064C9E21_2_06064C9E
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606ACF821_2_0606ACF8
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606AD0321_2_0606AD03
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060645E821_2_060645E8
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06064A5621_2_06064A56
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606729721_2_06067297
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06068B0821_2_06068B08
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06066B5021_2_06066B50
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06068B9B21_2_06068B9B
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060663BC21_2_060663BC
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606881921_2_06068819
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606482621_2_06064826
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060680DF21_2_060680DF
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060690DA21_2_060690DA
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060648EE21_2_060648EE
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060680F021_2_060680F0
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606694021_2_06066940
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060629DE21_2_060629DE
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_060629E821_2_060629E8
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_065CB60821_2_065CB608
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_065C66F821_2_065C66F8
                  Source: purchase order (2).exeBinary or memory string: OriginalFilename vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000000.00000002.194288076.00000000029A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHutaba.dll, vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000000.00000002.206348962.000000000D3C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000000.00000002.205793296.0000000006E80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000000.00000002.193258739.0000000000632000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecKq.exe. vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000000.00000002.200343203.00000000039C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000000.00000002.206563177.000000000D4C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000000.00000002.206563177.000000000D4C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000000.00000002.196726007.0000000002EDF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKwzBhuSBSXhOMdRfZEwqxbbUarWyMLgW.exe( vs purchase order (2).exe
                  Source: purchase order (2).exeBinary or memory string: OriginalFilename vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000003.00000002.449844524.0000000006140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000003.00000000.192536072.0000000000612000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecKq.exe. vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000003.00000002.449662108.00000000060C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000003.00000002.435774933.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKwzBhuSBSXhOMdRfZEwqxbbUarWyMLgW.exe( vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000003.00000002.448939997.0000000005BD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000003.00000002.449706997.00000000060D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs purchase order (2).exe
                  Source: purchase order (2).exe, 00000003.00000002.436811141.0000000000AF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs purchase order (2).exe
                  Source: purchase order (2).exeBinary or memory string: OriginalFilenamecKq.exe. vs purchase order (2).exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
                  Source: purchase order (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: YKtXZOWu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: gKWBf.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@24/10@4/1
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile created: C:\Users\user\AppData\Roaming\YKtXZOWu.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_01
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeMutant created: \Sessions\1\BaseNamedObjects\soWqEziVNDaImWiyowx
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1312:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile created: C:\Users\user\AppData\Local\Temp\tmp3E7F.tmpJump to behavior
                  Source: purchase order (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\purchase order (2).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\purchase order (2).exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\purchase order (2).exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: purchase order (2).exeVirustotal: Detection: 60%
                  Source: purchase order (2).exeReversingLabs: Detection: 41%
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile read: C:\Users\user\Desktop\purchase order (2).exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\purchase order (2).exe 'C:\Users\user\Desktop\purchase order (2).exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp3E7F.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\Desktop\purchase order (2).exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe 'C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmpFF3E.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe 'C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe {path}
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp1FB7.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe {path}
                  Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp3E7F.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess created: C:\Users\user\Desktop\purchase order (2).exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / fJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmpFF3E.tmp'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeProcess created: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp1FB7.tmp'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeProcess created: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
                  Source: C:\Users\user\Desktop\purchase order (2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: purchase order (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: purchase order (2).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_04F66661 push ecx; ret 0_2_04F666B5
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_04F682EF push E801025Eh; retf 0_2_04F68301
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_04F64EBB pushfd ; ret 0_2_04F64EC6
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 0_2_0C9B5918 push ebx; ret 0_2_0C9B5919
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0294C556 push FFFFFF8Bh; iretd 3_2_0294C56B
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060BC070 pushfd ; retf 3_2_060BC071
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_060B512F push edi; retn 0000h3_2_060B5131
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_0613DB22 push 6965C9A6h; ret 3_2_0613DB29
                  Source: C:\Users\user\Desktop\purchase order (2).exeCode function: 3_2_06133B28 push 83FFFFFEh; ret 3_2_06133B31
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0233F810 push esp; iretd 12_2_0233F811
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0233F8E4 pushfd ; iretd 12_2_0233F8E5
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 12_2_0BED5668 push ebx; ret 12_2_0BED5669
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_02C486E0 pushfd ; iretd 20_2_02C48705
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_02C4F8E4 pushfd ; iretd 20_2_02C4F8E5
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_02C4F810 push esp; iretd 20_2_02C4F811
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 20_2_07475918 push ebx; ret 20_2_07475919
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_02BDC569 push FFFFFF8Bh; iretd 21_2_02BDC56B
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0560512F push edi; retn 0000h21_2_05605131
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606763B push es; iretd 21_2_0606764C
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06060749 push es; retf 21_2_0606074C
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_0606DB22 push 6965D6A6h; ret 21_2_0606DB29
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06063B28 push 83FFFFFEh; ret 21_2_06063B31
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_06060006 push esp; iretd 21_2_06060091
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeCode function: 21_2_065C9971 push es; ret 21_2_065C9980
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.64934362002
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.64934362002
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.64934362002
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile created: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeJump to dropped file
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile created: C:\Users\user\AppData\Roaming\YKtXZOWu.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\YKtXZOWu' /XML 'C:\Users\user\AppData\Local\Temp\tmp3E7F.tmp'
                  Source: C:\Users\user\Desktop\purchase order (2).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gKWBfJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gKWBfJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\purchase order (2).exeFile opened: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exeFile opened: C:\Users\user\AppData\Roaming\gKWBf\gKWBf.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\purchase order (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\