Analysis Report Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Overview

General Information

Sample Name:	Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Analysis ID:	321085
MD5:	6008cd180e677be4846d5f8abfa6b983
SHA1:	881844503dee7d1797ce7736786dfec08f06100a
SHA256:	b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Virustotal: Detection: 30%			Perma Link
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	ReversingLabs: Detection: 14%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then jne 021F9072h	0_2_021F879F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then jne 021F9072h	0_2_021F907D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then pop ebx	1_2_000A7AFB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then pop edi	1_2_000AE450
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then pop edi	1_2_000B7D4A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop ebx	6_2_02967AFB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	6_2_0296E450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	6_2_02977D4A

Networking:

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /ca5e/?9rmT0Zz8=33d4ALcEm9QS3ETZfm99n5/91vkYSjLj82bPV1gW1bkPYk/ky+qZQnI1oXWMSZEPGOwK&rZ=Xn8pd6vp HTTP/1.1Host: www.yourdfwliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 64.98.145.30 64.98.145.30
Source: Joe Sandbox View	IP Address: 64.98.145.30 64.98.145.30

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TUCOWS-3CA TUCOWS-3CA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: pilatescollective.com

Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.720261715.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://help.hover.com/home?source=parked
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmp	String found in binary or memory: https://pilatescollective.com/myguy/anyiba_ivtYLdKxk45.bin
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/hover
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/about?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/email?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/renew?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/tools?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/tos?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.922109924.0000000004FFF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.921254049.0000000002EBE000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Executable has a suspicious name (potential lure to open the executable)

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0A52 NtSetInformationThread,TerminateProcess,	0_2_021F0A52
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F969C NtResumeThread,	0_2_021F969C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F075B EnumWindows,NtSetInformationThread,	0_2_021F075B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F47EE NtSetInformationThread,CreateFileA,	0_2_021F47EE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9163 NtProtectVirtualMemory,	0_2_021F9163
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F559F NtSetInformationThread,NtWriteVirtualMemory,	0_2_021F559F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8987 NtSetInformationThread,NtWriteVirtualMemory,	0_2_021F8987
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F361D NtWriteVirtualMemory,	0_2_021F361D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9A19 NtResumeThread,	0_2_021F9A19
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9A3D NtResumeThread,	0_2_021F9A3D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3A2B NtWriteVirtualMemory,	0_2_021F3A2B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F364F NtWriteVirtualMemory,	0_2_021F364F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9A77 NtResumeThread,	0_2_021F9A77
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9AB0 NtResumeThread,	0_2_021F9AB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6AA9 NtSetInformationThread,	0_2_021F6AA9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F96A3 NtResumeThread,	0_2_021F96A3
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9ADD NtResumeThread,	0_2_021F9ADD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F36D7 NtWriteVirtualMemory,	0_2_021F36D7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F96D7 NtResumeThread,	0_2_021F96D7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F06D5 EnumWindows,NtSetInformationThread,	0_2_021F06D5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3717 NtWriteVirtualMemory,	0_2_021F3717
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9B33 NtResumeThread,	0_2_021F9B33
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3B2B NtWriteVirtualMemory,	0_2_021F3B2B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3B7B NtWriteVirtualMemory,	0_2_021F3B7B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9B6D NtResumeThread,	0_2_021F9B6D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F976B NtResumeThread,	0_2_021F976B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0769 EnumWindows,NtSetInformationThread,	0_2_021F0769
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F879F NtProtectVirtualMemory,	0_2_021F879F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2F90 NtWriteVirtualMemory,	0_2_021F2F90
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F37B7 NtWriteVirtualMemory,	0_2_021F37B7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9BAC NtResumeThread,	0_2_021F9BAC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3BC5 NtWriteVirtualMemory,	0_2_021F3BC5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F380B NtWriteVirtualMemory,	0_2_021F380B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0808 NtSetInformationThread,	0_2_021F0808
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3C35 NtWriteVirtualMemory,	0_2_021F3C35
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3855 NtWriteVirtualMemory,	0_2_021F3855
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9C7F NtResumeThread,	0_2_021F9C7F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F986F NtResumeThread,	0_2_021F986F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0897 NtSetInformationThread,	0_2_021F0897
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3C97 NtWriteVirtualMemory,	0_2_021F3C97
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F38B5 NtWriteVirtualMemory,	0_2_021F38B5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F98A4 NtResumeThread,	0_2_021F98A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F08CF NtSetInformationThread,	0_2_021F08CF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F90CB NtProtectVirtualMemory,	0_2_021F90CB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F38F5 NtWriteVirtualMemory,	0_2_021F38F5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F391A NtWriteVirtualMemory,	0_2_021F391A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6515 NtSetInformationThread,	0_2_021F6515
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3D3B NtWriteVirtualMemory,	0_2_021F3D3B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9956 NtResumeThread,	0_2_021F9956
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3962 NtWriteVirtualMemory,	0_2_021F3962
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3D8F NtWriteVirtualMemory,	0_2_021F3D8F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9189 NtProtectVirtualMemory,	0_2_021F9189
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F31E0 NtSetInformationThread,	0_2_021F31E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_1E3E9660
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_1E3E96E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_1E3E9710
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_1E3E97A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_1E3E9780
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,	1_2_1E3E9540
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,	1_2_1E3E95D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	1_2_1E3E9A20
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_1E3E9A00
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	1_2_1E3E9A50
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_1E3E9860
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	1_2_1E3E9840
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_1E3E98F0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_1E3E9910
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	1_2_1E3E99A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9610 NtEnumerateValueKey,	1_2_1E3E9610
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9670 NtQueryInformationProcess,	1_2_1E3E9670
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9650 NtQueryValueKey,	1_2_1E3E9650
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E96D0 NtCreateKey,	1_2_1E3E96D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9730 NtQueryVirtualMemory,	1_2_1E3E9730
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EA710 NtOpenProcessToken,	1_2_1E3EA710
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EA770 NtOpenThread,	1_2_1E3EA770
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9770 NtSetInformationFile,	1_2_1E3E9770
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9760 NtOpenProcess,	1_2_1E3E9760
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9FE0 NtCreateMutant,	1_2_1E3E9FE0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EAD30 NtSetContextThread,	1_2_1E3EAD30
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9520 NtWaitForSingleObject,	1_2_1E3E9520
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9560 NtWriteFile,	1_2_1E3E9560
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E95F0 NtQueryInformationFile,	1_2_1E3E95F0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A10 NtQuerySection,	1_2_1E3E9A10
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A80 NtOpenDirectoryObject,	1_2_1E3E9A80
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9B00 NtSetValueKey,	1_2_1E3E9B00
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EA3B0 NtGetContextThread,	1_2_1E3EA3B0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9820 NtEnumerateKey,	1_2_1E3E9820
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EB040 NtSuspendThread,	1_2_1E3EB040
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E98A0 NtWriteVirtualMemory,	1_2_1E3E98A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9950 NtQueueApcThread,	1_2_1E3E9950
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E99D0 NtCreateProcessEx,	1_2_1E3E99D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B395D0 NtClose,LdrInitializeThunk,	6_2_04B395D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39540 NtReadFile,LdrInitializeThunk,	6_2_04B39540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B396E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04B396E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B396D0 NtCreateKey,LdrInitializeThunk,	6_2_04B396D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04B39660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39650 NtQueryValueKey,LdrInitializeThunk,	6_2_04B39650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39780 NtMapViewOfSection,LdrInitializeThunk,	6_2_04B39780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39FE0 NtCreateMutant,LdrInitializeThunk,	6_2_04B39FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39710 NtQueryInformationToken,LdrInitializeThunk,	6_2_04B39710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04B39860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39840 NtDelayExecution,LdrInitializeThunk,	6_2_04B39840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B399A0 NtCreateSection,LdrInitializeThunk,	6_2_04B399A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_04B39910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A50 NtCreateFile,LdrInitializeThunk,	6_2_04B39A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B395F0 NtQueryInformationFile,	6_2_04B395F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3AD30 NtSetContextThread,	6_2_04B3AD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39520 NtWaitForSingleObject,	6_2_04B39520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39560 NtWriteFile,	6_2_04B39560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39610 NtEnumerateValueKey,	6_2_04B39610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39670 NtQueryInformationProcess,	6_2_04B39670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B397A0 NtUnmapViewOfSection,	6_2_04B397A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39730 NtQueryVirtualMemory,	6_2_04B39730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3A710 NtOpenProcessToken,	6_2_04B3A710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3A770 NtOpenThread,	6_2_04B3A770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39770 NtSetInformationFile,	6_2_04B39770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39760 NtOpenProcess,	6_2_04B39760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B398A0 NtWriteVirtualMemory,	6_2_04B398A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B398F0 NtReadVirtualMemory,	6_2_04B398F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39820 NtEnumerateKey,	6_2_04B39820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3B040 NtSuspendThread,	6_2_04B3B040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B399D0 NtCreateProcessEx,	6_2_04B399D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39950 NtQueueApcThread,	6_2_04B39950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A80 NtOpenDirectoryObject,	6_2_04B39A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A20 NtResumeThread,	6_2_04B39A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A10 NtQuerySection,	6_2_04B39A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A00 NtProtectVirtualMemory,	6_2_04B39A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3A3B0 NtGetContextThread,	6_2_04B3A3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39B00 NtSetValueKey,	6_2_04B39B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979E70 NtClose,	6_2_02979E70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979F20 NtAllocateVirtualMemory,	6_2_02979F20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979DF0 NtReadFile,	6_2_02979DF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979D40 NtCreateFile,	6_2_02979D40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979D92 NtCreateFile,	6_2_02979D92
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979DEA NtReadFile,	6_2_02979DEA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979D3B NtCreateFile,	6_2_02979D3B

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0A52	0_2_021F0A52
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0B7B	0_2_021F0B7B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8987	0_2_021F8987
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F361D	0_2_021F361D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0A0F	0_2_021F0A0F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F126B	0_2_021F126B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F96A3	0_2_021F96A3
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F06D5	0_2_021F06D5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F46FF	0_2_021F46FF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F734A	0_2_021F734A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F976B	0_2_021F976B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0769	0_2_021F0769
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F879F	0_2_021F879F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6BFB	0_2_021F6BFB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F87E9	0_2_021F87E9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F380B	0_2_021F380B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F4075	0_2_021F4075
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F10B3	0_2_021F10B3
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0CAE	0_2_021F0CAE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9CDF	0_2_021F9CDF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F90CB	0_2_021F90CB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F091B	0_2_021F091B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9956	0_2_021F9956
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0963	0_2_021F0963
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9DDB	0_2_021F9DDB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C6E30	1_2_1E3C6E30
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46D616	1_2_1E46D616
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E472EF7	1_2_1E472EF7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47DFCE	1_2_1E47DFCE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E471FF1	1_2_1E471FF1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46D466	1_2_1E46D466
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B841F	1_2_1E3B841F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E471D55	1_2_1E471D55
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A0D20	1_2_1E3A0D20
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E472D07	1_2_1E472D07
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4725DD	1_2_1E4725DD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BD5E0	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45FA2B	1_2_1E45FA2B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4722AE	1_2_1E4722AE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E472B28	1_2_1E472B28
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAB40	1_2_1E3CAB40
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DEBB0	1_2_1E3DEBB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46DBD2	1_2_1E46DBD2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4603DA	1_2_1E4603DA
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461002	1_2_1E461002
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47E824	1_2_1E47E824
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB090	1_2_1E3BB090
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4728EC	1_2_1E4728EC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4720A8	1_2_1E4720A8
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AF900	1_2_1E3AF900
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00081069	1_2_00081069
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00089862	1_2_00089862
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00081072	1_2_00081072
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00082CEC	1_2_00082CEC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00082CF2	1_2_00082CF2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00088132	1_2_00088132
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_0008AA32	1_2_0008AA32
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00085B1F	1_2_00085B1F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00085B22	1_2_00085B22
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000BD194	1_2_000BD194
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000BE241	1_2_000BE241
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000A2D90	1_2_000A2D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0841F	6_2_04B0841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBD466	6_2_04BBD466
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0D5E0	6_2_04B0D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC25DD	6_2_04BC25DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF0D20	6_2_04AF0D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC2D07	6_2_04BC2D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC1D55	6_2_04BC1D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC2EF7	6_2_04BC2EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B16E30	6_2_04B16E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBD616	6_2_04BBD616
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC1FF1	6_2_04BC1FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BCDFCE	6_2_04BCDFCE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC20A8	6_2_04BC20A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B090	6_2_04B0B090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC28EC	6_2_04BC28EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BCE824	6_2_04BCE824
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1002	6_2_04BB1002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFF900	6_2_04AFF900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC22AE	6_2_04BC22AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2EBB0	6_2_04B2EBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB03DA	6_2_04BB03DA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBDBD2	6_2_04BBDBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC2B28	6_2_04BC2B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297E241	6_2_0297E241
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297D194	6_2_0297D194
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02969E40	6_2_02969E40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02962FB0	6_2_02962FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297DFE8	6_2_0297DFE8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02962D90	6_2_02962D90

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: String function: 1E3AB150 appears 45 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04AFB150 appears 39 times

Sample file is different than original file name gathered from version info

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.691920446.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692698776.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000000.684998082.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.762365893.000000001E62F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761538741.000000001DDA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761594514.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Binary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: unknown

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Yara signature match

Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.922109924.0000000004FFF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.921254049.0000000002EBE000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/0@4/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

File created: C:\Users\user\AppData\Local\Temp\~DF19C1EAA8A3135A4C.TMP

Jump to behavior

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Virustotal: Detection: 30%
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'	Jump to behavior

Source:	Binary string: cmstp.pdbGCTL source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.735175160.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761860471.000000001E380000.00000040.00000001.sdmp, cmstp.exe, 00000006.00000002.921795937.0000000004BEF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, cmstp.exe
Source:	Binary string: cmstp.pdb source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.735175160.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6304, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6780, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6304, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6780, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_00406655 push FFFFFFD3h; ret	0_2_0040665B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_004113EC push eax; ret	0_2_0041142B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3FD0D1 push ecx; ret	1_2_1E3FD0E4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_0008E3E6 pushad ; ret	1_2_0008E3E7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000B71BE push esi; ret	1_2_000B71E6
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000AE26A pushfd ; retf	1_2_000AE27D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B4D0D1 push ecx; ret	6_2_04B4D0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0296E26A pushfd ; retf	6_2_0296E27D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_029771BE push esi; ret	6_2_029771E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297CE95 push eax; ret	6_2_0297CEE8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297CEE2 push eax; ret	6_2_0297CEE8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297CEEB push eax; ret	6_2_0297CF52
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979E3A push ss; ret	6_2_02979E3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297CF4C push eax; ret	6_2_0297CF52

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

File created: \purchase order updates thyssenkrupp materials australia 900-5400006911.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE7

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

RDTSC instruction interceptor: First address: 00000000021F80C7 second address: 00000000021F80C7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0468D3DF38h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dh, ch 0x00000021 cmp al, al 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 dec dword ptr [ebp+000000F8h] 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007F0468D3DEE5h 0x00000036 jmp 00007F0468D3DF5Eh 0x00000038 cmp dx, dx 0x0000003b call 00007F0468D3DFBEh 0x00000040 call 00007F0468D3DF4Ah 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc

Tries to detect Any.run

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692728631.00000000021F0000.00000040.00000001.sdmp, Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 00000000021F80C7 second address: 00000000021F80C7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0468D3DF38h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dh, ch 0x00000021 cmp al, al 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 dec dword ptr [ebp+000000F8h] 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007F0468D3DEE5h 0x00000036 jmp 00007F0468D3DF5Eh 0x00000038 cmp dx, dx 0x0000003b call 00007F0468D3DFBEh 0x00000040 call 00007F0468D3DF4Ah 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 00000000021F8112 second address: 00000000021F8112 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0468D32A96h 0x0000001f popad 0x00000020 call 00007F0468D32516h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 00000000021F8C4E second address: 00000000021F8C4E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 cmp ebx, eax 0x00000006 je 00007F0468D3E1AFh 0x0000000c cmp byte ptr [ebx], FFFFFFB8h 0x0000000f jne 00007F0468D3DF1Bh 0x00000011 pushad 0x00000012 mov ebx, 00000066h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 0000000000568112 second address: 0000000000568112 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0468D32A96h 0x0000001f popad 0x00000020 call 00007F0468D32516h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 0000000000568C4E second address: 0000000000568C4E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 cmp ebx, eax 0x00000006 je 00007F0468D3E1AFh 0x0000000c cmp byte ptr [ebx], FFFFFFB8h 0x0000000f jne 00007F0468D3DF1Bh 0x00000011 pushad 0x00000012 mov ebx, 00000066h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 00000000029698E4 second address: 00000000029698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000002969B5E second address: 0000000002969B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Code function: 0_2_021F8987 rdtsc

0_2_021F8987

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe TID: 408	Thread sleep count: 180 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7136	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 808	Thread sleep time: -50000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692728631.00000000021F0000.00000040.00000001.sdmp, Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.739898951.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.735567164.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.740594811.000000000A839000.00000004.00000001.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&\
Source: explorer.exe, 00000004.00000000.739898951.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.731025210.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.740094180.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.740094180.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Code function: 0_2_021F0A52 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,021F08C6,00000000,00000000,00000000

0_2_021F0A52

Hides threads from debuggers

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Code function: 0_2_021F8987 rdtsc

0_2_021F8987

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Code function: 0_2_021F4B8D LdrInitializeThunk,

0_2_021F4B8D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8987 mov eax, dword ptr fs:[00000030h]	0_2_021F8987
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8A17 mov eax, dword ptr fs:[00000030h]	0_2_021F8A17
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6F79 mov eax, dword ptr fs:[00000030h]	0_2_021F6F79
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F879F mov eax, dword ptr fs:[00000030h]	0_2_021F879F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2F90 mov eax, dword ptr fs:[00000030h]	0_2_021F2F90
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2FAD mov eax, dword ptr fs:[00000030h]	0_2_021F2FAD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6BFB mov eax, dword ptr fs:[00000030h]	0_2_021F6BFB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2FF1 mov eax, dword ptr fs:[00000030h]	0_2_021F2FF1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F87E9 mov eax, dword ptr fs:[00000030h]	0_2_021F87E9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2C1D mov eax, dword ptr fs:[00000030h]	0_2_021F2C1D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F7C2F mov eax, dword ptr fs:[00000030h]	0_2_021F7C2F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2468 mov eax, dword ptr fs:[00000030h]	0_2_021F2468
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8959 mov eax, dword ptr fs:[00000030h]	0_2_021F8959
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F41A1 mov eax, dword ptr fs:[00000030h]	0_2_021F41A1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	1_2_1E46AE44
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	1_2_1E46AE44
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AE620 mov eax, dword ptr fs:[00000030h]	1_2_1E3AE620
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	1_2_1E3DA61C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	1_2_1E3DA61C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]	1_2_1E3D8E00
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461608 mov eax, dword ptr fs:[00000030h]	1_2_1E461608
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B766D mov eax, dword ptr fs:[00000030h]	1_2_1E3B766D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45FE3F mov eax, dword ptr fs:[00000030h]	1_2_1E45FE3F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]	1_2_1E45FEC0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478ED6 mov eax, dword ptr fs:[00000030h]	1_2_1E478ED6
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43FE87 mov eax, dword ptr fs:[00000030h]	1_2_1E43FE87
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3B76E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]	1_2_1E3D16E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4246A7 mov eax, dword ptr fs:[00000030h]	1_2_1E4246A7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D36CC mov eax, dword ptr fs:[00000030h]	1_2_1E3D36CC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]	1_2_1E3E8EC7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DE730 mov eax, dword ptr fs:[00000030h]	1_2_1E3DE730
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	1_2_1E3A4F2E
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	1_2_1E3A4F2E
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CF716 mov eax, dword ptr fs:[00000030h]	1_2_1E3CF716
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478F6A mov eax, dword ptr fs:[00000030h]	1_2_1E478F6A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	1_2_1E3DA70E
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	1_2_1E3DA70E
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]	1_2_1E47070D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]	1_2_1E47070D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	1_2_1E43FF10
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	1_2_1E43FF10
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]	1_2_1E3BFF60
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]	1_2_1E3BEF40
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B8794 mov eax, dword ptr fs:[00000030h]	1_2_1E3B8794
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]	1_2_1E3E37F5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]	1_2_1E3DBC2C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]	1_2_1E43C450
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]	1_2_1E43C450
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C746D mov eax, dword ptr fs:[00000030h]	1_2_1E3C746D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA44B mov eax, dword ptr fs:[00000030h]	1_2_1E3DA44B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478CD6 mov eax, dword ptr fs:[00000030h]	1_2_1E478CD6
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B849B mov eax, dword ptr fs:[00000030h]	1_2_1E3B849B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4614FB mov eax, dword ptr fs:[00000030h]	1_2_1E4614FB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E423540 mov eax, dword ptr fs:[00000030h]	1_2_1E423540
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E453D40 mov eax, dword ptr fs:[00000030h]	1_2_1E453D40
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAD30
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC577
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC577
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]	1_2_1E3C7D50
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478D34 mov eax, dword ptr fs:[00000030h]	1_2_1E478D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E42A537 mov eax, dword ptr fs:[00000030h]	1_2_1E42A537
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]	1_2_1E3E3D43
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46E539 mov eax, dword ptr fs:[00000030h]	1_2_1E46E539
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]	1_2_1E3D35A1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	1_2_1E3DFD9B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	1_2_1E3DFD9B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E458DF1 mov eax, dword ptr fs:[00000030h]	1_2_1E458DF1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]	1_2_1E4705AC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]	1_2_1E4705AC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	1_2_1E3E4A2C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	1_2_1E3E4A2C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46EA55 mov eax, dword ptr fs:[00000030h]	1_2_1E46EA55
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E434257 mov eax, dword ptr fs:[00000030h]	1_2_1E434257
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]	1_2_1E3C3A1C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]	1_2_1E45B260
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]	1_2_1E45B260
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478A62 mov eax, dword ptr fs:[00000030h]	1_2_1E478A62
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAA16
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAA16
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]	1_2_1E3B8A0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E927A mov eax, dword ptr fs:[00000030h]	1_2_1E3E927A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	1_2_1E46AA16
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	1_2_1E46AA16
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BAAB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BAAB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3DFAB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	1_2_1E3DD294
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	1_2_1E3DD294
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2AE4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]	1_2_1E3D2ACB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478B58 mov eax, dword ptr fs:[00000030h]	1_2_1E478B58
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	1_2_1E3D3B7A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	1_2_1E3D3B7A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]	1_2_1E3ADB60
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46131B mov eax, dword ptr fs:[00000030h]	1_2_1E46131B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AF358 mov eax, dword ptr fs:[00000030h]	1_2_1E3AF358
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]	1_2_1E3ADB40
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]	1_2_1E4253CA
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]	1_2_1E4253CA
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2397 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2397
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DB390 mov eax, dword ptr fs:[00000030h]	1_2_1E3DB390
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	1_2_1E3B1B8F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	1_2_1E3B1B8F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45D380 mov ecx, dword ptr fs:[00000030h]	1_2_1E45D380
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46138A mov eax, dword ptr fs:[00000030h]	1_2_1E46138A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]	1_2_1E3CDBE9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E475BA5 mov eax, dword ptr fs:[00000030h]	1_2_1E475BA5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E471074 mov eax, dword ptr fs:[00000030h]	1_2_1E471074
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E462073 mov eax, dword ptr fs:[00000030h]	1_2_1E462073
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]	1_2_1E474015
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]	1_2_1E474015
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	1_2_1E3C0050
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	1_2_1E3C0050
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E90AF mov eax, dword ptr fs:[00000030h]	1_2_1E3E90AF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9080 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9080
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]	1_2_1E423884
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]	1_2_1E423884
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A58EC mov eax, dword ptr fs:[00000030h]	1_2_1E3A58EC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3A40E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3A40E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3A40E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]	1_2_1E3D513A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]	1_2_1E3D513A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB171
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB171
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AC962 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC962
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	1_2_1E3CB944
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	1_2_1E3CB944
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D61A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D61A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4341E8 mov eax, dword ptr fs:[00000030h]	1_2_1E4341E8
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2990 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2990
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA185 mov eax, dword ptr fs:[00000030h]	1_2_1E3DA185
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CC182 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC182
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	1_2_1E4649A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	1_2_1E4649A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	1_2_1E4649A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	1_2_1E4649A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4269A6 mov eax, dword ptr fs:[00000030h]	1_2_1E4269A6
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0849B mov eax, dword ptr fs:[00000030h]	6_2_04B0849B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB14FB mov eax, dword ptr fs:[00000030h]	6_2_04BB14FB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	6_2_04B76CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	6_2_04B76CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	6_2_04B76CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC8CD6 mov eax, dword ptr fs:[00000030h]	6_2_04BC8CD6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2BC2C mov eax, dword ptr fs:[00000030h]	6_2_04B2BC2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC740D mov eax, dword ptr fs:[00000030h]	6_2_04BC740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC740D mov eax, dword ptr fs:[00000030h]	6_2_04BC740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC740D mov eax, dword ptr fs:[00000030h]	6_2_04BC740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76C0A mov eax, dword ptr fs:[00000030h]	6_2_04B76C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76C0A mov eax, dword ptr fs:[00000030h]	6_2_04B76C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76C0A mov eax, dword ptr fs:[00000030h]	6_2_04B76C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76C0A mov eax, dword ptr fs:[00000030h]	6_2_04B76C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1746D mov eax, dword ptr fs:[00000030h]	6_2_04B1746D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8C450 mov eax, dword ptr fs:[00000030h]	6_2_04B8C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8C450 mov eax, dword ptr fs:[00000030h]	6_2_04B8C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A44B mov eax, dword ptr fs:[00000030h]	6_2_04B2A44B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	6_2_04B21DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	6_2_04B21DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	6_2_04B21DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC05AC mov eax, dword ptr fs:[00000030h]	6_2_04BC05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC05AC mov eax, dword ptr fs:[00000030h]	6_2_04BC05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B235A1 mov eax, dword ptr fs:[00000030h]	6_2_04B235A1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2FD9B mov eax, dword ptr fs:[00000030h]	6_2_04B2FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2FD9B mov eax, dword ptr fs:[00000030h]	6_2_04B2FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581 mov eax, dword ptr fs:[00000030h]	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581 mov eax, dword ptr fs:[00000030h]	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581 mov eax, dword ptr fs:[00000030h]	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581 mov eax, dword ptr fs:[00000030h]	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BA8DF1 mov eax, dword ptr fs:[00000030h]	6_2_04BA8DF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]	6_2_04B0D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]	6_2_04B0D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	6_2_04BBFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	6_2_04BBFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	6_2_04BBFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	6_2_04BBFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov ecx, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B7A537 mov eax, dword ptr fs:[00000030h]	6_2_04B7A537
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBE539 mov eax, dword ptr fs:[00000030h]	6_2_04BBE539
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC8D34 mov eax, dword ptr fs:[00000030h]	6_2_04BC8D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B24D3B mov eax, dword ptr fs:[00000030h]	6_2_04B24D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B24D3B mov eax, dword ptr fs:[00000030h]	6_2_04B24D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B24D3B mov eax, dword ptr fs:[00000030h]	6_2_04B24D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFAD30 mov eax, dword ptr fs:[00000030h]	6_2_04AFAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1C577 mov eax, dword ptr fs:[00000030h]	6_2_04B1C577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1C577 mov eax, dword ptr fs:[00000030h]	6_2_04B1C577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B17D50 mov eax, dword ptr fs:[00000030h]	6_2_04B17D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B33D43 mov eax, dword ptr fs:[00000030h]	6_2_04B33D43
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B73540 mov eax, dword ptr fs:[00000030h]	6_2_04B73540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B746A7 mov eax, dword ptr fs:[00000030h]	6_2_04B746A7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]	6_2_04BC0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]	6_2_04BC0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]	6_2_04BC0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8FE87 mov eax, dword ptr fs:[00000030h]	6_2_04B8FE87
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B216E0 mov ecx, dword ptr fs:[00000030h]	6_2_04B216E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B076E2 mov eax, dword ptr fs:[00000030h]	6_2_04B076E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC8ED6 mov eax, dword ptr fs:[00000030h]	6_2_04BC8ED6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B38EC7 mov eax, dword ptr fs:[00000030h]	6_2_04B38EC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BAFEC0 mov eax, dword ptr fs:[00000030h]	6_2_04BAFEC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B236CC mov eax, dword ptr fs:[00000030h]	6_2_04B236CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BAFE3F mov eax, dword ptr fs:[00000030h]	6_2_04BAFE3F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFE620 mov eax, dword ptr fs:[00000030h]	6_2_04AFE620
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A61C mov eax, dword ptr fs:[00000030h]	6_2_04B2A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A61C mov eax, dword ptr fs:[00000030h]	6_2_04B2A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFC600 mov eax, dword ptr fs:[00000030h]	6_2_04AFC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFC600 mov eax, dword ptr fs:[00000030h]	6_2_04AFC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFC600 mov eax, dword ptr fs:[00000030h]	6_2_04AFC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B28E00 mov eax, dword ptr fs:[00000030h]	6_2_04B28E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1608 mov eax, dword ptr fs:[00000030h]	6_2_04BB1608
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0766D mov eax, dword ptr fs:[00000030h]	6_2_04B0766D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBAE44 mov eax, dword ptr fs:[00000030h]	6_2_04BBAE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBAE44 mov eax, dword ptr fs:[00000030h]	6_2_04BBAE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77794 mov eax, dword ptr fs:[00000030h]	6_2_04B77794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77794 mov eax, dword ptr fs:[00000030h]	6_2_04B77794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77794 mov eax, dword ptr fs:[00000030h]	6_2_04B77794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B08794 mov eax, dword ptr fs:[00000030h]	6_2_04B08794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B337F5 mov eax, dword ptr fs:[00000030h]	6_2_04B337F5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF4F2E mov eax, dword ptr fs:[00000030h]	6_2_04AF4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF4F2E mov eax, dword ptr fs:[00000030h]	6_2_04AF4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2E730 mov eax, dword ptr fs:[00000030h]	6_2_04B2E730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1F716 mov eax, dword ptr fs:[00000030h]	6_2_04B1F716
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8FF10 mov eax, dword ptr fs:[00000030h]	6_2_04B8FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8FF10 mov eax, dword ptr fs:[00000030h]	6_2_04B8FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC070D mov eax, dword ptr fs:[00000030h]	6_2_04BC070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC070D mov eax, dword ptr fs:[00000030h]	6_2_04BC070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A70E mov eax, dword ptr fs:[00000030h]	6_2_04B2A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A70E mov eax, dword ptr fs:[00000030h]	6_2_04B2A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0FF60 mov eax, dword ptr fs:[00000030h]	6_2_04B0FF60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC8F6A mov eax, dword ptr fs:[00000030h]	6_2_04BC8F6A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0EF40 mov eax, dword ptr fs:[00000030h]	6_2_04B0EF40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2F0BF mov ecx, dword ptr fs:[00000030h]	6_2_04B2F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2F0BF mov eax, dword ptr fs:[00000030h]	6_2_04B2F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2F0BF mov eax, dword ptr fs:[00000030h]	6_2_04B2F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B390AF mov eax, dword ptr fs:[00000030h]	6_2_04B390AF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF9080 mov eax, dword ptr fs:[00000030h]	6_2_04AF9080
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B73884 mov eax, dword ptr fs:[00000030h]	6_2_04B73884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B73884 mov eax, dword ptr fs:[00000030h]	6_2_04B73884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF58EC mov eax, dword ptr fs:[00000030h]	6_2_04AF58EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF40E1 mov eax, dword ptr fs:[00000030h]	6_2_04AF40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF40E1 mov eax, dword ptr fs:[00000030h]	6_2_04AF40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF40E1 mov eax, dword ptr fs:[00000030h]	6_2_04AF40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov ecx, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B02A mov eax, dword ptr fs:[00000030h]	6_2_04B0B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B02A mov eax, dword ptr fs:[00000030h]	6_2_04B0B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B02A mov eax, dword ptr fs:[00000030h]	6_2_04B0B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B02A mov eax, dword ptr fs:[00000030h]	6_2_04B0B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77016 mov eax, dword ptr fs:[00000030h]	6_2_04B77016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77016 mov eax, dword ptr fs:[00000030h]	6_2_04B77016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77016 mov eax, dword ptr fs:[00000030h]	6_2_04B77016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC4015 mov eax, dword ptr fs:[00000030h]	6_2_04BC4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC4015 mov eax, dword ptr fs:[00000030h]	6_2_04BC4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB2073 mov eax, dword ptr fs:[00000030h]	6_2_04BB2073
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC1074 mov eax, dword ptr fs:[00000030h]	6_2_04BC1074
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B10050 mov eax, dword ptr fs:[00000030h]	6_2_04B10050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B10050 mov eax, dword ptr fs:[00000030h]	6_2_04B10050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B751BE mov eax, dword ptr fs:[00000030h]	6_2_04B751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B751BE mov eax, dword ptr fs:[00000030h]	6_2_04B751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B751BE mov eax, dword ptr fs:[00000030h]	6_2_04B751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B751BE mov eax, dword ptr fs:[00000030h]	6_2_04B751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B769A6 mov eax, dword ptr fs:[00000030h]	6_2_04B769A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B261A0 mov eax, dword ptr fs:[00000030h]	6_2_04B261A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B261A0 mov eax, dword ptr fs:[00000030h]	6_2_04B261A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22990 mov eax, dword ptr fs:[00000030h]	6_2_04B22990
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1C182 mov eax, dword ptr fs:[00000030h]	6_2_04B1C182
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A185 mov eax, dword ptr fs:[00000030h]	6_2_04B2A185
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04AFB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04AFB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04AFB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B841E8 mov eax, dword ptr fs:[00000030h]	6_2_04B841E8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2513A mov eax, dword ptr fs:[00000030h]	6_2_04B2513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2513A mov eax, dword ptr fs:[00000030h]	6_2_04B2513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov eax, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov eax, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov eax, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov eax, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov ecx, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF9100 mov eax, dword ptr fs:[00000030h]	6_2_04AF9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF9100 mov eax, dword ptr fs:[00000030h]	6_2_04AF9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF9100 mov eax, dword ptr fs:[00000030h]	6_2_04AF9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFC962 mov eax, dword ptr fs:[00000030h]	6_2_04AFC962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB171 mov eax, dword ptr fs:[00000030h]	6_2_04AFB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB171 mov eax, dword ptr fs:[00000030h]	6_2_04AFB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1B944 mov eax, dword ptr fs:[00000030h]	6_2_04B1B944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1B944 mov eax, dword ptr fs:[00000030h]	6_2_04B1B944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0AAB0 mov eax, dword ptr fs:[00000030h]	6_2_04B0AAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0AAB0 mov eax, dword ptr fs:[00000030h]	6_2_04B0AAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2FAB0 mov eax, dword ptr fs:[00000030h]	6_2_04B2FAB0

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 64.98.145.30 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 830000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000002.920942328.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.719673354.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000006.00000002.921347037.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.719673354.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000006.00000002.921347037.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.719673354.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000006.00000002.921347037.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.719673354.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000006.00000002.921347037.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.740094180.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6780, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmstp.exe PID: 6004, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.98.145.30	unknown	Canada		32491	TUCOWS-3CA	true
192.185.152.65	unknown	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
pilatescollective.com	192.185.152.65	true
www.yourdfwliving.com	64.98.145.30	true
www.remotereg.com	45.79.19.196	true
www.goldkiili.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.yourdfwliving.com/ca5e/?9rmT0Zz8=33d4ALcEm9QS3ETZfm99n5/91vkYSjLj82bPV1gW1bkPYk/ky+qZQnI1oXWMSZEPGOwK&rZ=Xn8pd6vp	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Virustotal: Detection: 30%			Perma Link
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	ReversingLabs: Detection: 14%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then jne 021F9072h	0_2_021F879F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then jne 021F9072h	0_2_021F907D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then pop ebx	1_2_000A7AFB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then pop edi	1_2_000AE450
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 4x nop then pop edi	1_2_000B7D4A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop ebx	6_2_02967AFB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	6_2_0296E450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	6_2_02977D4A

Networking:

HTTP GET or POST without a user agent

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 64.98.145.30 64.98.145.30
Source: Joe Sandbox View	IP Address: 64.98.145.30 64.98.145.30

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TUCOWS-3CA TUCOWS-3CA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: pilatescollective.com

Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.720261715.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://help.hover.com/home?source=parked
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmp	String found in binary or memory: https://pilatescollective.com/myguy/anyiba_ivtYLdKxk45.bin
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/hover
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/about?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/email?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/renew?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/tools?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/tos?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=parked
Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.922109924.0000000004FFF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.921254049.0000000002EBE000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Executable has a suspicious name (potential lure to open the executable)

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0A52 NtSetInformationThread,TerminateProcess,	0_2_021F0A52
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F969C NtResumeThread,	0_2_021F969C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F075B EnumWindows,NtSetInformationThread,	0_2_021F075B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F47EE NtSetInformationThread,CreateFileA,	0_2_021F47EE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9163 NtProtectVirtualMemory,	0_2_021F9163
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F559F NtSetInformationThread,NtWriteVirtualMemory,	0_2_021F559F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8987 NtSetInformationThread,NtWriteVirtualMemory,	0_2_021F8987
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F361D NtWriteVirtualMemory,	0_2_021F361D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9A19 NtResumeThread,	0_2_021F9A19
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9A3D NtResumeThread,	0_2_021F9A3D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3A2B NtWriteVirtualMemory,	0_2_021F3A2B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F364F NtWriteVirtualMemory,	0_2_021F364F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9A77 NtResumeThread,	0_2_021F9A77
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9AB0 NtResumeThread,	0_2_021F9AB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6AA9 NtSetInformationThread,	0_2_021F6AA9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F96A3 NtResumeThread,	0_2_021F96A3
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9ADD NtResumeThread,	0_2_021F9ADD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F36D7 NtWriteVirtualMemory,	0_2_021F36D7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F96D7 NtResumeThread,	0_2_021F96D7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F06D5 EnumWindows,NtSetInformationThread,	0_2_021F06D5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3717 NtWriteVirtualMemory,	0_2_021F3717
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9B33 NtResumeThread,	0_2_021F9B33
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3B2B NtWriteVirtualMemory,	0_2_021F3B2B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3B7B NtWriteVirtualMemory,	0_2_021F3B7B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9B6D NtResumeThread,	0_2_021F9B6D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F976B NtResumeThread,	0_2_021F976B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0769 EnumWindows,NtSetInformationThread,	0_2_021F0769
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F879F NtProtectVirtualMemory,	0_2_021F879F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2F90 NtWriteVirtualMemory,	0_2_021F2F90
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F37B7 NtWriteVirtualMemory,	0_2_021F37B7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9BAC NtResumeThread,	0_2_021F9BAC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3BC5 NtWriteVirtualMemory,	0_2_021F3BC5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F380B NtWriteVirtualMemory,	0_2_021F380B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0808 NtSetInformationThread,	0_2_021F0808
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3C35 NtWriteVirtualMemory,	0_2_021F3C35
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3855 NtWriteVirtualMemory,	0_2_021F3855
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9C7F NtResumeThread,	0_2_021F9C7F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F986F NtResumeThread,	0_2_021F986F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0897 NtSetInformationThread,	0_2_021F0897
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3C97 NtWriteVirtualMemory,	0_2_021F3C97
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F38B5 NtWriteVirtualMemory,	0_2_021F38B5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F98A4 NtResumeThread,	0_2_021F98A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F08CF NtSetInformationThread,	0_2_021F08CF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F90CB NtProtectVirtualMemory,	0_2_021F90CB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F38F5 NtWriteVirtualMemory,	0_2_021F38F5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F391A NtWriteVirtualMemory,	0_2_021F391A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6515 NtSetInformationThread,	0_2_021F6515
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3D3B NtWriteVirtualMemory,	0_2_021F3D3B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9956 NtResumeThread,	0_2_021F9956
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3962 NtWriteVirtualMemory,	0_2_021F3962
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F3D8F NtWriteVirtualMemory,	0_2_021F3D8F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9189 NtProtectVirtualMemory,	0_2_021F9189
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F31E0 NtSetInformationThread,	0_2_021F31E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_1E3E9660
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_1E3E96E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_1E3E9710
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_1E3E97A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_1E3E9780
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,	1_2_1E3E9540
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,	1_2_1E3E95D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	1_2_1E3E9A20
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_1E3E9A00
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	1_2_1E3E9A50
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_1E3E9860
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	1_2_1E3E9840
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_1E3E98F0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_1E3E9910
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	1_2_1E3E99A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9610 NtEnumerateValueKey,	1_2_1E3E9610
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9670 NtQueryInformationProcess,	1_2_1E3E9670
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9650 NtQueryValueKey,	1_2_1E3E9650
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E96D0 NtCreateKey,	1_2_1E3E96D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9730 NtQueryVirtualMemory,	1_2_1E3E9730
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EA710 NtOpenProcessToken,	1_2_1E3EA710
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EA770 NtOpenThread,	1_2_1E3EA770
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9770 NtSetInformationFile,	1_2_1E3E9770
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9760 NtOpenProcess,	1_2_1E3E9760
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9FE0 NtCreateMutant,	1_2_1E3E9FE0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EAD30 NtSetContextThread,	1_2_1E3EAD30
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9520 NtWaitForSingleObject,	1_2_1E3E9520
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9560 NtWriteFile,	1_2_1E3E9560
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E95F0 NtQueryInformationFile,	1_2_1E3E95F0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A10 NtQuerySection,	1_2_1E3E9A10
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9A80 NtOpenDirectoryObject,	1_2_1E3E9A80
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9B00 NtSetValueKey,	1_2_1E3E9B00
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EA3B0 NtGetContextThread,	1_2_1E3EA3B0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9820 NtEnumerateKey,	1_2_1E3E9820
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3EB040 NtSuspendThread,	1_2_1E3EB040
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E98A0 NtWriteVirtualMemory,	1_2_1E3E98A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E9950 NtQueueApcThread,	1_2_1E3E9950
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E99D0 NtCreateProcessEx,	1_2_1E3E99D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B395D0 NtClose,LdrInitializeThunk,	6_2_04B395D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39540 NtReadFile,LdrInitializeThunk,	6_2_04B39540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B396E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04B396E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B396D0 NtCreateKey,LdrInitializeThunk,	6_2_04B396D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04B39660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39650 NtQueryValueKey,LdrInitializeThunk,	6_2_04B39650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39780 NtMapViewOfSection,LdrInitializeThunk,	6_2_04B39780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39FE0 NtCreateMutant,LdrInitializeThunk,	6_2_04B39FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39710 NtQueryInformationToken,LdrInitializeThunk,	6_2_04B39710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04B39860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39840 NtDelayExecution,LdrInitializeThunk,	6_2_04B39840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B399A0 NtCreateSection,LdrInitializeThunk,	6_2_04B399A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_04B39910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A50 NtCreateFile,LdrInitializeThunk,	6_2_04B39A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B395F0 NtQueryInformationFile,	6_2_04B395F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3AD30 NtSetContextThread,	6_2_04B3AD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39520 NtWaitForSingleObject,	6_2_04B39520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39560 NtWriteFile,	6_2_04B39560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39610 NtEnumerateValueKey,	6_2_04B39610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39670 NtQueryInformationProcess,	6_2_04B39670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B397A0 NtUnmapViewOfSection,	6_2_04B397A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39730 NtQueryVirtualMemory,	6_2_04B39730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3A710 NtOpenProcessToken,	6_2_04B3A710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3A770 NtOpenThread,	6_2_04B3A770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39770 NtSetInformationFile,	6_2_04B39770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39760 NtOpenProcess,	6_2_04B39760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B398A0 NtWriteVirtualMemory,	6_2_04B398A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B398F0 NtReadVirtualMemory,	6_2_04B398F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39820 NtEnumerateKey,	6_2_04B39820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3B040 NtSuspendThread,	6_2_04B3B040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B399D0 NtCreateProcessEx,	6_2_04B399D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39950 NtQueueApcThread,	6_2_04B39950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A80 NtOpenDirectoryObject,	6_2_04B39A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A20 NtResumeThread,	6_2_04B39A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A10 NtQuerySection,	6_2_04B39A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39A00 NtProtectVirtualMemory,	6_2_04B39A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B3A3B0 NtGetContextThread,	6_2_04B3A3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B39B00 NtSetValueKey,	6_2_04B39B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979E70 NtClose,	6_2_02979E70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979F20 NtAllocateVirtualMemory,	6_2_02979F20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979DF0 NtReadFile,	6_2_02979DF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979D40 NtCreateFile,	6_2_02979D40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979D92 NtCreateFile,	6_2_02979D92
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979DEA NtReadFile,	6_2_02979DEA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979D3B NtCreateFile,	6_2_02979D3B

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0A52	0_2_021F0A52
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0B7B	0_2_021F0B7B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8987	0_2_021F8987
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F361D	0_2_021F361D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0A0F	0_2_021F0A0F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F126B	0_2_021F126B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F96A3	0_2_021F96A3
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F06D5	0_2_021F06D5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F46FF	0_2_021F46FF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F734A	0_2_021F734A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F976B	0_2_021F976B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0769	0_2_021F0769
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F879F	0_2_021F879F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6BFB	0_2_021F6BFB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F87E9	0_2_021F87E9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F380B	0_2_021F380B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F4075	0_2_021F4075
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F10B3	0_2_021F10B3
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0CAE	0_2_021F0CAE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9CDF	0_2_021F9CDF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F90CB	0_2_021F90CB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F091B	0_2_021F091B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9956	0_2_021F9956
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F0963	0_2_021F0963
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F9DDB	0_2_021F9DDB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C6E30	1_2_1E3C6E30
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46D616	1_2_1E46D616
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E472EF7	1_2_1E472EF7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47DFCE	1_2_1E47DFCE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E471FF1	1_2_1E471FF1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46D466	1_2_1E46D466
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B841F	1_2_1E3B841F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E471D55	1_2_1E471D55
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A0D20	1_2_1E3A0D20
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E472D07	1_2_1E472D07
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4725DD	1_2_1E4725DD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BD5E0	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45FA2B	1_2_1E45FA2B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4722AE	1_2_1E4722AE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E472B28	1_2_1E472B28
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAB40	1_2_1E3CAB40
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DEBB0	1_2_1E3DEBB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46DBD2	1_2_1E46DBD2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4603DA	1_2_1E4603DA
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461002	1_2_1E461002
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47E824	1_2_1E47E824
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB090	1_2_1E3BB090
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4728EC	1_2_1E4728EC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4720A8	1_2_1E4720A8
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AF900	1_2_1E3AF900
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00081069	1_2_00081069
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00089862	1_2_00089862
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00081072	1_2_00081072
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00082CEC	1_2_00082CEC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00082CF2	1_2_00082CF2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00088132	1_2_00088132
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_0008AA32	1_2_0008AA32
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00085B1F	1_2_00085B1F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_00085B22	1_2_00085B22
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000BD194	1_2_000BD194
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000BE241	1_2_000BE241
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000A2D90	1_2_000A2D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0841F	6_2_04B0841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBD466	6_2_04BBD466
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0D5E0	6_2_04B0D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC25DD	6_2_04BC25DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF0D20	6_2_04AF0D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC2D07	6_2_04BC2D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC1D55	6_2_04BC1D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC2EF7	6_2_04BC2EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B16E30	6_2_04B16E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBD616	6_2_04BBD616
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC1FF1	6_2_04BC1FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BCDFCE	6_2_04BCDFCE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC20A8	6_2_04BC20A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B090	6_2_04B0B090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC28EC	6_2_04BC28EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BCE824	6_2_04BCE824
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1002	6_2_04BB1002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFF900	6_2_04AFF900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC22AE	6_2_04BC22AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2EBB0	6_2_04B2EBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB03DA	6_2_04BB03DA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBDBD2	6_2_04BBDBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC2B28	6_2_04BC2B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297E241	6_2_0297E241
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297D194	6_2_0297D194
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02969E40	6_2_02969E40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02962FB0	6_2_02962FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297DFE8	6_2_0297DFE8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02962D90	6_2_02962D90

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: String function: 1E3AB150 appears 45 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04AFB150 appears 39 times

Sample file is different than original file name gathered from version info

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.691920446.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692698776.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000000.684998082.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.762365893.000000001E62F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761538741.000000001DDA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761594514.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Binary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: unknown

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Yara signature match

Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.922109924.0000000004FFF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.921254049.0000000002EBE000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/0@4/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

File created: C:\Users\user\AppData\Local\Temp\~DF19C1EAA8A3135A4C.TMP

Jump to behavior

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Virustotal: Detection: 30%
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'	Jump to behavior

Source:	Binary string: cmstp.pdbGCTL source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.735175160.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761860471.000000001E380000.00000040.00000001.sdmp, cmstp.exe, 00000006.00000002.921795937.0000000004BEF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, cmstp.exe
Source:	Binary string: cmstp.pdb source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.735175160.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6304, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6780, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6304, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6780, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_00406655 push FFFFFFD3h; ret	0_2_0040665B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_004113EC push eax; ret	0_2_0041142B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3FD0D1 push ecx; ret	1_2_1E3FD0E4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_0008E3E6 pushad ; ret	1_2_0008E3E7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000B71BE push esi; ret	1_2_000B71E6
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_000AE26A pushfd ; retf	1_2_000AE27D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B4D0D1 push ecx; ret	6_2_04B4D0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0296E26A pushfd ; retf	6_2_0296E27D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_029771BE push esi; ret	6_2_029771E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297CE95 push eax; ret	6_2_0297CEE8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297CEE2 push eax; ret	6_2_0297CEE8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297CEEB push eax; ret	6_2_0297CF52
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_02979E3A push ss; ret	6_2_02979E3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_0297CF4C push eax; ret	6_2_0297CF52

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

File created: \purchase order updates thyssenkrupp materials australia 900-5400006911.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE7

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Tries to detect Any.run

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692728631.00000000021F0000.00000040.00000001.sdmp, Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 00000000021F80C7 second address: 00000000021F80C7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0468D3DF38h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dh, ch 0x00000021 cmp al, al 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 dec dword ptr [ebp+000000F8h] 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007F0468D3DEE5h 0x00000036 jmp 00007F0468D3DF5Eh 0x00000038 cmp dx, dx 0x0000003b call 00007F0468D3DFBEh 0x00000040 call 00007F0468D3DF4Ah 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 00000000021F8112 second address: 00000000021F8112 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0468D32A96h 0x0000001f popad 0x00000020 call 00007F0468D32516h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 00000000021F8C4E second address: 00000000021F8C4E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 cmp ebx, eax 0x00000006 je 00007F0468D3E1AFh 0x0000000c cmp byte ptr [ebx], FFFFFFB8h 0x0000000f jne 00007F0468D3DF1Bh 0x00000011 pushad 0x00000012 mov ebx, 00000066h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 0000000000568112 second address: 0000000000568112 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0468D32A96h 0x0000001f popad 0x00000020 call 00007F0468D32516h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 0000000000568C4E second address: 0000000000568C4E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 cmp ebx, eax 0x00000006 je 00007F0468D3E1AFh 0x0000000c cmp byte ptr [ebx], FFFFFFB8h 0x0000000f jne 00007F0468D3DF1Bh 0x00000011 pushad 0x00000012 mov ebx, 00000066h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 00000000029698E4 second address: 00000000029698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000002969B5E second address: 0000000002969B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Code function: 0_2_021F8987 rdtsc

0_2_021F8987

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe TID: 408	Thread sleep count: 180 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7136	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 808	Thread sleep time: -50000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692728631.00000000021F0000.00000040.00000001.sdmp, Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.739898951.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.735567164.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.740594811.000000000A839000.00000004.00000001.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&\
Source: explorer.exe, 00000004.00000000.739898951.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.731025210.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.740094180.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.740094180.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Code function: 0_2_021F0A52 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,021F08C6,00000000,00000000,00000000

0_2_021F0A52

Hides threads from debuggers

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Code function: 0_2_021F8987 rdtsc

0_2_021F8987

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Code function: 0_2_021F4B8D LdrInitializeThunk,

0_2_021F4B8D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8987 mov eax, dword ptr fs:[00000030h]	0_2_021F8987
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8A17 mov eax, dword ptr fs:[00000030h]	0_2_021F8A17
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6F79 mov eax, dword ptr fs:[00000030h]	0_2_021F6F79
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F879F mov eax, dword ptr fs:[00000030h]	0_2_021F879F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2F90 mov eax, dword ptr fs:[00000030h]	0_2_021F2F90
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2FAD mov eax, dword ptr fs:[00000030h]	0_2_021F2FAD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F6BFB mov eax, dword ptr fs:[00000030h]	0_2_021F6BFB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2FF1 mov eax, dword ptr fs:[00000030h]	0_2_021F2FF1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F87E9 mov eax, dword ptr fs:[00000030h]	0_2_021F87E9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2C1D mov eax, dword ptr fs:[00000030h]	0_2_021F2C1D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F7C2F mov eax, dword ptr fs:[00000030h]	0_2_021F7C2F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F2468 mov eax, dword ptr fs:[00000030h]	0_2_021F2468
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F8959 mov eax, dword ptr fs:[00000030h]	0_2_021F8959
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 0_2_021F41A1 mov eax, dword ptr fs:[00000030h]	0_2_021F41A1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	1_2_1E46AE44
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	1_2_1E46AE44
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AE620 mov eax, dword ptr fs:[00000030h]	1_2_1E3AE620
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	1_2_1E3DA61C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	1_2_1E3DA61C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]	1_2_1E3D8E00
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461608 mov eax, dword ptr fs:[00000030h]	1_2_1E461608
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B766D mov eax, dword ptr fs:[00000030h]	1_2_1E3B766D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45FE3F mov eax, dword ptr fs:[00000030h]	1_2_1E45FE3F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]	1_2_1E45FEC0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478ED6 mov eax, dword ptr fs:[00000030h]	1_2_1E478ED6
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43FE87 mov eax, dword ptr fs:[00000030h]	1_2_1E43FE87
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3B76E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]	1_2_1E3D16E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4246A7 mov eax, dword ptr fs:[00000030h]	1_2_1E4246A7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D36CC mov eax, dword ptr fs:[00000030h]	1_2_1E3D36CC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]	1_2_1E3E8EC7
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DE730 mov eax, dword ptr fs:[00000030h]	1_2_1E3DE730
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	1_2_1E3A4F2E
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	1_2_1E3A4F2E
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CF716 mov eax, dword ptr fs:[00000030h]	1_2_1E3CF716
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478F6A mov eax, dword ptr fs:[00000030h]	1_2_1E478F6A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	1_2_1E3DA70E
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	1_2_1E3DA70E
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]	1_2_1E47070D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]	1_2_1E47070D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	1_2_1E43FF10
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	1_2_1E43FF10
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]	1_2_1E3BFF60
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]	1_2_1E3BEF40
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B8794 mov eax, dword ptr fs:[00000030h]	1_2_1E3B8794
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]	1_2_1E3E37F5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]	1_2_1E3DBC2C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]	1_2_1E43C450
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]	1_2_1E43C450
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C746D mov eax, dword ptr fs:[00000030h]	1_2_1E3C746D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA44B mov eax, dword ptr fs:[00000030h]	1_2_1E3DA44B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478CD6 mov eax, dword ptr fs:[00000030h]	1_2_1E478CD6
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B849B mov eax, dword ptr fs:[00000030h]	1_2_1E3B849B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4614FB mov eax, dword ptr fs:[00000030h]	1_2_1E4614FB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E423540 mov eax, dword ptr fs:[00000030h]	1_2_1E423540
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E453D40 mov eax, dword ptr fs:[00000030h]	1_2_1E453D40
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAD30
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC577
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC577
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]	1_2_1E3C7D50
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478D34 mov eax, dword ptr fs:[00000030h]	1_2_1E478D34
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E42A537 mov eax, dword ptr fs:[00000030h]	1_2_1E42A537
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]	1_2_1E3E3D43
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46E539 mov eax, dword ptr fs:[00000030h]	1_2_1E46E539
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]	1_2_1E3D35A1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	1_2_1E3DFD9B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	1_2_1E3DFD9B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E458DF1 mov eax, dword ptr fs:[00000030h]	1_2_1E458DF1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]	1_2_1E4705AC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]	1_2_1E4705AC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	1_2_1E3E4A2C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	1_2_1E3E4A2C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46EA55 mov eax, dword ptr fs:[00000030h]	1_2_1E46EA55
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E434257 mov eax, dword ptr fs:[00000030h]	1_2_1E434257
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]	1_2_1E3C3A1C
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]	1_2_1E45B260
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]	1_2_1E45B260
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478A62 mov eax, dword ptr fs:[00000030h]	1_2_1E478A62
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAA16
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAA16
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]	1_2_1E3B8A0A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E927A mov eax, dword ptr fs:[00000030h]	1_2_1E3E927A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	1_2_1E46AA16
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	1_2_1E46AA16
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BAAB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BAAB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3DFAB0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	1_2_1E3DD294
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	1_2_1E3DD294
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2AE4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]	1_2_1E3D2ACB
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E478B58 mov eax, dword ptr fs:[00000030h]	1_2_1E478B58
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	1_2_1E3D3B7A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	1_2_1E3D3B7A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]	1_2_1E3ADB60
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46131B mov eax, dword ptr fs:[00000030h]	1_2_1E46131B
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AF358 mov eax, dword ptr fs:[00000030h]	1_2_1E3AF358
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]	1_2_1E3ADB40
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]	1_2_1E4253CA
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]	1_2_1E4253CA
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2397 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2397
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DB390 mov eax, dword ptr fs:[00000030h]	1_2_1E3DB390
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	1_2_1E3B1B8F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	1_2_1E3B1B8F
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E45D380 mov ecx, dword ptr fs:[00000030h]	1_2_1E45D380
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E46138A mov eax, dword ptr fs:[00000030h]	1_2_1E46138A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]	1_2_1E3CDBE9
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E475BA5 mov eax, dword ptr fs:[00000030h]	1_2_1E475BA5
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E471074 mov eax, dword ptr fs:[00000030h]	1_2_1E471074
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E462073 mov eax, dword ptr fs:[00000030h]	1_2_1E462073
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]	1_2_1E474015
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]	1_2_1E474015
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	1_2_1E3C0050
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	1_2_1E3C0050
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3E90AF mov eax, dword ptr fs:[00000030h]	1_2_1E3E90AF
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9080 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9080
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]	1_2_1E423884
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]	1_2_1E423884
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A58EC mov eax, dword ptr fs:[00000030h]	1_2_1E3A58EC
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3A40E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3A40E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3A40E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]	1_2_1E3D513A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]	1_2_1E3D513A
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB171
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB171
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AC962 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC962
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	1_2_1E3CB944
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	1_2_1E3CB944
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D61A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D61A0
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4341E8 mov eax, dword ptr fs:[00000030h]	1_2_1E4341E8
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3D2990 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2990
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3DA185 mov eax, dword ptr fs:[00000030h]	1_2_1E3DA185
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3CC182 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC182
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	1_2_1E4649A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	1_2_1E4649A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	1_2_1E4649A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	1_2_1E4649A4
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4269A6 mov eax, dword ptr fs:[00000030h]	1_2_1E4269A6
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0849B mov eax, dword ptr fs:[00000030h]	6_2_04B0849B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB14FB mov eax, dword ptr fs:[00000030h]	6_2_04BB14FB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	6_2_04B76CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	6_2_04B76CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	6_2_04B76CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC8CD6 mov eax, dword ptr fs:[00000030h]	6_2_04BC8CD6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2BC2C mov eax, dword ptr fs:[00000030h]	6_2_04B2BC2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC740D mov eax, dword ptr fs:[00000030h]	6_2_04BC740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC740D mov eax, dword ptr fs:[00000030h]	6_2_04BC740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC740D mov eax, dword ptr fs:[00000030h]	6_2_04BC740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	6_2_04BB1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76C0A mov eax, dword ptr fs:[00000030h]	6_2_04B76C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76C0A mov eax, dword ptr fs:[00000030h]	6_2_04B76C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76C0A mov eax, dword ptr fs:[00000030h]	6_2_04B76C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76C0A mov eax, dword ptr fs:[00000030h]	6_2_04B76C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1746D mov eax, dword ptr fs:[00000030h]	6_2_04B1746D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8C450 mov eax, dword ptr fs:[00000030h]	6_2_04B8C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8C450 mov eax, dword ptr fs:[00000030h]	6_2_04B8C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A44B mov eax, dword ptr fs:[00000030h]	6_2_04B2A44B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	6_2_04B21DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	6_2_04B21DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	6_2_04B21DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC05AC mov eax, dword ptr fs:[00000030h]	6_2_04BC05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC05AC mov eax, dword ptr fs:[00000030h]	6_2_04BC05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B235A1 mov eax, dword ptr fs:[00000030h]	6_2_04B235A1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	6_2_04AF2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2FD9B mov eax, dword ptr fs:[00000030h]	6_2_04B2FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2FD9B mov eax, dword ptr fs:[00000030h]	6_2_04B2FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581 mov eax, dword ptr fs:[00000030h]	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581 mov eax, dword ptr fs:[00000030h]	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581 mov eax, dword ptr fs:[00000030h]	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22581 mov eax, dword ptr fs:[00000030h]	6_2_04B22581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BA8DF1 mov eax, dword ptr fs:[00000030h]	6_2_04BA8DF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]	6_2_04B0D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]	6_2_04B0D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	6_2_04BBFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	6_2_04BBFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	6_2_04BBFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	6_2_04BBFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov ecx, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	6_2_04B76DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B7A537 mov eax, dword ptr fs:[00000030h]	6_2_04B7A537
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBE539 mov eax, dword ptr fs:[00000030h]	6_2_04BBE539
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B03D34 mov eax, dword ptr fs:[00000030h]	6_2_04B03D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC8D34 mov eax, dword ptr fs:[00000030h]	6_2_04BC8D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B24D3B mov eax, dword ptr fs:[00000030h]	6_2_04B24D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B24D3B mov eax, dword ptr fs:[00000030h]	6_2_04B24D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B24D3B mov eax, dword ptr fs:[00000030h]	6_2_04B24D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFAD30 mov eax, dword ptr fs:[00000030h]	6_2_04AFAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1C577 mov eax, dword ptr fs:[00000030h]	6_2_04B1C577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1C577 mov eax, dword ptr fs:[00000030h]	6_2_04B1C577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B17D50 mov eax, dword ptr fs:[00000030h]	6_2_04B17D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B33D43 mov eax, dword ptr fs:[00000030h]	6_2_04B33D43
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B73540 mov eax, dword ptr fs:[00000030h]	6_2_04B73540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B746A7 mov eax, dword ptr fs:[00000030h]	6_2_04B746A7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]	6_2_04BC0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]	6_2_04BC0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC0EA5 mov eax, dword ptr fs:[00000030h]	6_2_04BC0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8FE87 mov eax, dword ptr fs:[00000030h]	6_2_04B8FE87
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B216E0 mov ecx, dword ptr fs:[00000030h]	6_2_04B216E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B076E2 mov eax, dword ptr fs:[00000030h]	6_2_04B076E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC8ED6 mov eax, dword ptr fs:[00000030h]	6_2_04BC8ED6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B38EC7 mov eax, dword ptr fs:[00000030h]	6_2_04B38EC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BAFEC0 mov eax, dword ptr fs:[00000030h]	6_2_04BAFEC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B236CC mov eax, dword ptr fs:[00000030h]	6_2_04B236CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BAFE3F mov eax, dword ptr fs:[00000030h]	6_2_04BAFE3F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFE620 mov eax, dword ptr fs:[00000030h]	6_2_04AFE620
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A61C mov eax, dword ptr fs:[00000030h]	6_2_04B2A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A61C mov eax, dword ptr fs:[00000030h]	6_2_04B2A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFC600 mov eax, dword ptr fs:[00000030h]	6_2_04AFC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFC600 mov eax, dword ptr fs:[00000030h]	6_2_04AFC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFC600 mov eax, dword ptr fs:[00000030h]	6_2_04AFC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B28E00 mov eax, dword ptr fs:[00000030h]	6_2_04B28E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB1608 mov eax, dword ptr fs:[00000030h]	6_2_04BB1608
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1AE73 mov eax, dword ptr fs:[00000030h]	6_2_04B1AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0766D mov eax, dword ptr fs:[00000030h]	6_2_04B0766D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B07E41 mov eax, dword ptr fs:[00000030h]	6_2_04B07E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBAE44 mov eax, dword ptr fs:[00000030h]	6_2_04BBAE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BBAE44 mov eax, dword ptr fs:[00000030h]	6_2_04BBAE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77794 mov eax, dword ptr fs:[00000030h]	6_2_04B77794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77794 mov eax, dword ptr fs:[00000030h]	6_2_04B77794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77794 mov eax, dword ptr fs:[00000030h]	6_2_04B77794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B08794 mov eax, dword ptr fs:[00000030h]	6_2_04B08794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B337F5 mov eax, dword ptr fs:[00000030h]	6_2_04B337F5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF4F2E mov eax, dword ptr fs:[00000030h]	6_2_04AF4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF4F2E mov eax, dword ptr fs:[00000030h]	6_2_04AF4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2E730 mov eax, dword ptr fs:[00000030h]	6_2_04B2E730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1F716 mov eax, dword ptr fs:[00000030h]	6_2_04B1F716
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8FF10 mov eax, dword ptr fs:[00000030h]	6_2_04B8FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8FF10 mov eax, dword ptr fs:[00000030h]	6_2_04B8FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC070D mov eax, dword ptr fs:[00000030h]	6_2_04BC070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC070D mov eax, dword ptr fs:[00000030h]	6_2_04BC070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A70E mov eax, dword ptr fs:[00000030h]	6_2_04B2A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A70E mov eax, dword ptr fs:[00000030h]	6_2_04B2A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0FF60 mov eax, dword ptr fs:[00000030h]	6_2_04B0FF60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC8F6A mov eax, dword ptr fs:[00000030h]	6_2_04BC8F6A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0EF40 mov eax, dword ptr fs:[00000030h]	6_2_04B0EF40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2F0BF mov ecx, dword ptr fs:[00000030h]	6_2_04B2F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2F0BF mov eax, dword ptr fs:[00000030h]	6_2_04B2F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2F0BF mov eax, dword ptr fs:[00000030h]	6_2_04B2F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B220A0 mov eax, dword ptr fs:[00000030h]	6_2_04B220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B390AF mov eax, dword ptr fs:[00000030h]	6_2_04B390AF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF9080 mov eax, dword ptr fs:[00000030h]	6_2_04AF9080
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B73884 mov eax, dword ptr fs:[00000030h]	6_2_04B73884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B73884 mov eax, dword ptr fs:[00000030h]	6_2_04B73884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF58EC mov eax, dword ptr fs:[00000030h]	6_2_04AF58EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF40E1 mov eax, dword ptr fs:[00000030h]	6_2_04AF40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF40E1 mov eax, dword ptr fs:[00000030h]	6_2_04AF40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF40E1 mov eax, dword ptr fs:[00000030h]	6_2_04AF40E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov ecx, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B8B8D0 mov eax, dword ptr fs:[00000030h]	6_2_04B8B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B02A mov eax, dword ptr fs:[00000030h]	6_2_04B0B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B02A mov eax, dword ptr fs:[00000030h]	6_2_04B0B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B02A mov eax, dword ptr fs:[00000030h]	6_2_04B0B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0B02A mov eax, dword ptr fs:[00000030h]	6_2_04B0B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2002D mov eax, dword ptr fs:[00000030h]	6_2_04B2002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77016 mov eax, dword ptr fs:[00000030h]	6_2_04B77016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77016 mov eax, dword ptr fs:[00000030h]	6_2_04B77016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B77016 mov eax, dword ptr fs:[00000030h]	6_2_04B77016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC4015 mov eax, dword ptr fs:[00000030h]	6_2_04BC4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC4015 mov eax, dword ptr fs:[00000030h]	6_2_04BC4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BB2073 mov eax, dword ptr fs:[00000030h]	6_2_04BB2073
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04BC1074 mov eax, dword ptr fs:[00000030h]	6_2_04BC1074
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B10050 mov eax, dword ptr fs:[00000030h]	6_2_04B10050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B10050 mov eax, dword ptr fs:[00000030h]	6_2_04B10050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B751BE mov eax, dword ptr fs:[00000030h]	6_2_04B751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B751BE mov eax, dword ptr fs:[00000030h]	6_2_04B751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B751BE mov eax, dword ptr fs:[00000030h]	6_2_04B751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B751BE mov eax, dword ptr fs:[00000030h]	6_2_04B751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B769A6 mov eax, dword ptr fs:[00000030h]	6_2_04B769A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B261A0 mov eax, dword ptr fs:[00000030h]	6_2_04B261A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B261A0 mov eax, dword ptr fs:[00000030h]	6_2_04B261A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B22990 mov eax, dword ptr fs:[00000030h]	6_2_04B22990
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1C182 mov eax, dword ptr fs:[00000030h]	6_2_04B1C182
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2A185 mov eax, dword ptr fs:[00000030h]	6_2_04B2A185
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04AFB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04AFB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB1E1 mov eax, dword ptr fs:[00000030h]	6_2_04AFB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B841E8 mov eax, dword ptr fs:[00000030h]	6_2_04B841E8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2513A mov eax, dword ptr fs:[00000030h]	6_2_04B2513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2513A mov eax, dword ptr fs:[00000030h]	6_2_04B2513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov eax, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov eax, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov eax, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov eax, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B14120 mov ecx, dword ptr fs:[00000030h]	6_2_04B14120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF9100 mov eax, dword ptr fs:[00000030h]	6_2_04AF9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF9100 mov eax, dword ptr fs:[00000030h]	6_2_04AF9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AF9100 mov eax, dword ptr fs:[00000030h]	6_2_04AF9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFC962 mov eax, dword ptr fs:[00000030h]	6_2_04AFC962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB171 mov eax, dword ptr fs:[00000030h]	6_2_04AFB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04AFB171 mov eax, dword ptr fs:[00000030h]	6_2_04AFB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1B944 mov eax, dword ptr fs:[00000030h]	6_2_04B1B944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B1B944 mov eax, dword ptr fs:[00000030h]	6_2_04B1B944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0AAB0 mov eax, dword ptr fs:[00000030h]	6_2_04B0AAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B0AAB0 mov eax, dword ptr fs:[00000030h]	6_2_04B0AAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 6_2_04B2FAB0 mov eax, dword ptr fs:[00000030h]	6_2_04B2FAB0

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 64.98.145.30 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 830000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe	Process created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000002.920942328.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.719673354.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000006.00000002.921347037.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.719673354.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000006.00000002.921347037.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.719673354.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000006.00000002.921347037.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.719673354.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000006.00000002.921347037.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.740094180.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6780, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmstp.exe PID: 6004, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

ID:	321085
Product:	CloudBasic
Start time:	10:56:58
Start date:	20.11.2020
Sample:	Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6008cd180e677be4846d5f8abfa6b983
SHA1:	881844503dee7d1797ce7736786dfec08f06100a
SHA256:	b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs