Analysis Report Purchase Order 40,7045.exe

Overview

General Information

Sample Name:	Purchase Order 40,7045.exe
Analysis ID:	321387
MD5:	2566aac2faf57e27d8778f2c61bac6d3
SHA1:	b163ec807fe59a0f85f2d964fe1e8ffa8adab77e
SHA256:	7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Purchase Order 40,7045.exe	Virustotal: Detection: 40%			Perma Link
Source: Purchase Order 40,7045.exe	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Purchase Order 40,7045.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.Purchase Order 40,7045.exe.7f0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop edi	1_2_00415044
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop edi	1_2_00415C88
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop ebx	1_2_004066DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	3_2_02DE5044
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop ebx	3_2_02DD66DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	3_2_02DE5C88

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 13.248.196.204:80 -> 192.168.2.3:49750
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49752

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 160.153.136.3 160.153.136.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SOFTLAYERUS SOFTLAYERUS
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ownumo.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Sat, 21 Nov 2020 08:23:14 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7

Source: netsh.exe, 00000003.00000002.500404825.000000000419D000.00000004.00000001.sdmp	String found in binary or memory: http://browsehappy.com/
Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Source: Purchase Order 40,7045.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order 40,7045.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417BA0 NtCreateFile,	1_2_00417BA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417C50 NtReadFile,	1_2_00417C50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417CD0 NtClose,	1_2_00417CD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417D80 NtAllocateVirtualMemory,	1_2_00417D80
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417C4C NtReadFile,	1_2_00417C4C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417CCA NtClose,	1_2_00417CCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01239910
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012399A0 NtCreateSection,LdrInitializeThunk,	1_2_012399A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01239860
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239840 NtDelayExecution,LdrInitializeThunk,	1_2_01239840
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012398F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_012398F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A20 NtResumeThread,LdrInitializeThunk,	1_2_01239A20
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01239A00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A50 NtCreateFile,LdrInitializeThunk,	1_2_01239A50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239540 NtReadFile,LdrInitializeThunk,	1_2_01239540
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012395D0 NtClose,LdrInitializeThunk,	1_2_012395D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01239710
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012397A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_012397A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01239780
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239FE0 NtCreateMutant,LdrInitializeThunk,	1_2_01239FE0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01239660
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012396E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_012396E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239950 NtQueueApcThread,	1_2_01239950
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012399D0 NtCreateProcessEx,	1_2_012399D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239820 NtEnumerateKey,	1_2_01239820
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123B040 NtSuspendThread,	1_2_0123B040
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012398A0 NtWriteVirtualMemory,	1_2_012398A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239B00 NtSetValueKey,	1_2_01239B00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A3B0 NtGetContextThread,	1_2_0123A3B0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A10 NtQuerySection,	1_2_01239A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A80 NtOpenDirectoryObject,	1_2_01239A80
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239520 NtWaitForSingleObject,	1_2_01239520
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123AD30 NtSetContextThread,	1_2_0123AD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239560 NtWriteFile,	1_2_01239560
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012395F0 NtQueryInformationFile,	1_2_012395F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239730 NtQueryVirtualMemory,	1_2_01239730
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A710 NtOpenProcessToken,	1_2_0123A710
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239760 NtOpenProcess,	1_2_01239760
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239770 NtSetInformationFile,	1_2_01239770
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A770 NtOpenThread,	1_2_0123A770
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239610 NtEnumerateValueKey,	1_2_01239610
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239670 NtQueryInformationProcess,	1_2_01239670
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239650 NtQueryValueKey,	1_2_01239650
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012396D0 NtCreateKey,	1_2_012396D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A50 NtCreateFile,LdrInitializeThunk,	3_2_03959A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039599A0 NtCreateSection,LdrInitializeThunk,	3_2_039599A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_03959910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959840 NtDelayExecution,LdrInitializeThunk,	3_2_03959840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03959860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959780 NtMapViewOfSection,LdrInitializeThunk,	3_2_03959780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959FE0 NtCreateMutant,LdrInitializeThunk,	3_2_03959FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959710 NtQueryInformationToken,LdrInitializeThunk,	3_2_03959710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039596D0 NtCreateKey,LdrInitializeThunk,	3_2_039596D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039596E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_039596E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039595D0 NtClose,LdrInitializeThunk,	3_2_039595D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959540 NtReadFile,LdrInitializeThunk,	3_2_03959540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A3B0 NtGetContextThread,	3_2_0395A3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959B00 NtSetValueKey,	3_2_03959B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A80 NtOpenDirectoryObject,	3_2_03959A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A10 NtQuerySection,	3_2_03959A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A00 NtProtectVirtualMemory,	3_2_03959A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A20 NtResumeThread,	3_2_03959A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039599D0 NtCreateProcessEx,	3_2_039599D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959950 NtQueueApcThread,	3_2_03959950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039598A0 NtWriteVirtualMemory,	3_2_039598A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039598F0 NtReadVirtualMemory,	3_2_039598F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959820 NtEnumerateKey,	3_2_03959820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395B040 NtSuspendThread,	3_2_0395B040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039597A0 NtUnmapViewOfSection,	3_2_039597A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A710 NtOpenProcessToken,	3_2_0395A710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959730 NtQueryVirtualMemory,	3_2_03959730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A770 NtOpenThread,	3_2_0395A770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959770 NtSetInformationFile,	3_2_03959770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959760 NtOpenProcess,	3_2_03959760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959610 NtEnumerateValueKey,	3_2_03959610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959650 NtQueryValueKey,	3_2_03959650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959670 NtQueryInformationProcess,	3_2_03959670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959660 NtAllocateVirtualMemory,	3_2_03959660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039595F0 NtQueryInformationFile,	3_2_039595F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395AD30 NtSetContextThread,	3_2_0395AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959520 NtWaitForSingleObject,	3_2_03959520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959560 NtWriteFile,	3_2_03959560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7BA0 NtCreateFile,	3_2_02DE7BA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7CD0 NtClose,	3_2_02DE7CD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7C50 NtReadFile,	3_2_02DE7C50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7CCA NtClose,	3_2_02DE7CCA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7C4C NtReadFile,	3_2_02DE7C4C

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086F895	0_2_0086F895
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876098	0_2_00876098
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876808	0_2_00876808
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087B14E	0_2_0087B14E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087BBF0	0_2_0087BBF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876BF0	0_2_00876BF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087DCD9	0_2_0087DCD9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00875C03	0_2_00875C03
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876436	0_2_00876436
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087B69F	0_2_0087B69F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087CFA1	0_2_0087CFA1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086A7E0	0_2_0086A7E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041C16E	1_2_0041C16E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00408A40	1_2_00408A40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00408A3B	1_2_00408A3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041C52F	1_2_0041C52F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402D8A	1_2_00402D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041BF03	1_2_0041BF03
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FF900	1_2_011FF900
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012CE824	1_2_012CE824
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1002	1_2_012B1002
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C20A8	1_2_012C20A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B090	1_2_0120B090
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C28EC	1_2_012C28EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2B28	1_2_012C2B28
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AB40	1_2_0121AB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122EBB0	1_2_0122EBB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B03DA	1_2_012B03DA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BDBD2	1_2_012BDBD2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122ABD8	1_2_0122ABD8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFA2B	1_2_012AFA2B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C22AE	1_2_012C22AE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2D07	1_2_012C2D07
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F0D20	1_2_011F0D20
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1D55	1_2_012C1D55
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C25DD	1_2_012C25DD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120841F	1_2_0120841F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BD466	1_2_012BD466
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1FF1	1_2_012C1FF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012CDFCE	1_2_012CDFCE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01216E30	1_2_01216E30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BD616	1_2_012BD616
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2EF7	1_2_012C2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394EBB0	3_2_0394EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D03DA	3_2_039D03DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394ABD8	3_2_0394ABD8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DDBD2	3_2_039DDBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2B28	3_2_039E2B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393AB40	3_2_0393AB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E22AE	3_2_039E22AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CFA2B	3_2_039CFA2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391F900	3_2_0391F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03934120	3_2_03934120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392B090	3_2_0392B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039420A0	3_2_039420A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E20A8	3_2_039E20A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E28EC	3_2_039E28EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D1002	3_2_039D1002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A830	3_2_0393A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039EE824	3_2_039EE824
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039EDFCE	3_2_039EDFCE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E1FF1	3_2_039E1FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2EF7	3_2_039E2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DD616	3_2_039DD616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03936E30	3_2_03936E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942581	3_2_03942581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E25DD	3_2_039E25DD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392D5E0	3_2_0392D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2D07	3_2_039E2D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03910D20	3_2_03910D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E1D55	3_2_039E1D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4496	3_2_039D4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392841F	3_2_0392841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DD466	3_2_039DD466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD8A40	3_2_02DD8A40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD8A3B	3_2_02DD8A3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEC16E	3_2_02DEC16E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2FB0	3_2_02DD2FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEBF03	3_2_02DEBF03
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2D90	3_2_02DD2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2D8A	3_2_02DD2D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEC52F	3_2_02DEC52F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: String function: 00871820 appears 38 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: String function: 011FB150 appears 133 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0391B150 appears 124 times

Sample file is different than original file name gathered from version info

Source: Purchase Order 40,7045.exe, 00000000.00000003.234862655.00000000023D6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
Source: Purchase Order 40,7045.exe, 00000001.00000002.269100880.00000000012EF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
Source: Purchase Order 40,7045.exe, 00000001.00000002.268943802.00000000011AC000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs Purchase Order 40,7045.exe

Yara signature match

Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@16/13

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01

Source: Purchase Order 40,7045.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Order 40,7045.exe	Virustotal: Detection: 40%
Source: Purchase Order 40,7045.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

File read: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'	Jump to behavior

Source: Purchase Order 40,7045.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netsh.pdb source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order 40,7045.exe, 00000000.00000003.233625901.0000000002450000.00000004.00000001.sdmp, Purchase Order 40,7045.exe, 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, netsh.exe, 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order 40,7045.exe, netsh.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_00879B2F LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00879B2F

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00871865 push ecx; ret	0_2_00871878
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_008864B9 push eax; ret	0_2_008864E9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00886538 push eax; ret	0_2_008864E9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086BF4F push ecx; ret	0_2_0086BF62
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00415913 push edx; retf	1_2_00415915
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AC62 push D8D19732h; iretd	1_2_0041AC69
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414D57 push esi; retf	1_2_00414D58
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AD65 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414DEA push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041ADB2 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041ADBB push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414E7E push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AE1C push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414E24 push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0040FF92 push 00000033h; iretd	1_2_0040FF98
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0124D0D1 push ecx; ret	1_2_0124D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0396D0D1 push ecx; ret	3_2_0396D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE5913 push edx; retf	3_2_02DE5915
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4E7E push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAE1C push eax; ret	3_2_02DEAE22
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4E24 push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DDFF92 push 00000033h; iretd	3_2_02DDFF98
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAC62 push D8D19732h; iretd	3_2_02DEAC69
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4DEA push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEADBB push eax; ret	3_2_02DEAE22
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEADB2 push eax; ret	3_2_02DEADB8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4D57 push esi; retf	3_2_02DE4D58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAD65 push eax; ret	3_2_02DEADB8

Source: C:\Windows\SysWOW64\netsh.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DD83D4 second address: 0000000002DD83DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DD876E second address: 0000000002DD8774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5720	Thread sleep time: -70000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 6852	Thread sleep time: -50000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.250034592.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&r
Source: explorer.exe, 00000002.00000002.506854506.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000002.508086144.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.252834409.000000000F685000.00000004.00000001.sdmp	Binary or memory string: lume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAq
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_00409900 LdrLoadDll,

1_2_00409900

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0086F175

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

0_2_00879B2F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00861FA0 mov eax, dword ptr fs:[00000030h]	0_2_00861FA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00887A30 mov eax, dword ptr fs:[00000030h]	0_2_00887A30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_008885C4 mov eax, dword ptr fs:[00000030h]	0_2_008885C4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00888524 mov eax, dword ptr fs:[00000030h]	0_2_00888524
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00888561 mov eax, dword ptr fs:[00000030h]	0_2_00888561
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov ecx, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]	1_2_0122513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]	1_2_0122513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]	1_2_0121B944
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]	1_2_0121B944
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]	1_2_011FB171
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]	1_2_011FB171
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC962 mov eax, dword ptr fs:[00000030h]	1_2_011FC962
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012769A6 mov eax, dword ptr fs:[00000030h]	1_2_012769A6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]	1_2_012261A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]	1_2_012261A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C182 mov eax, dword ptr fs:[00000030h]	1_2_0121C182
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A185 mov eax, dword ptr fs:[00000030h]	1_2_0122A185
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222990 mov eax, dword ptr fs:[00000030h]	1_2_01222990
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012841E8 mov eax, dword ptr fs:[00000030h]	1_2_012841E8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]	1_2_012C4015
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]	1_2_012C4015
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2073 mov eax, dword ptr fs:[00000030h]	1_2_012B2073
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1074 mov eax, dword ptr fs:[00000030h]	1_2_012C1074
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]	1_2_01210050
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]	1_2_01210050
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012390AF mov eax, dword ptr fs:[00000030h]	1_2_012390AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9080 mov eax, dword ptr fs:[00000030h]	1_2_011F9080
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]	1_2_01273884
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]	1_2_01273884
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]	1_2_0121B8E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]	1_2_0121B8E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F58EC mov eax, dword ptr fs:[00000030h]	1_2_011F58EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B131B mov eax, dword ptr fs:[00000030h]	1_2_012B131B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FF358 mov eax, dword ptr fs:[00000030h]	1_2_011FF358
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01223B7A mov eax, dword ptr fs:[00000030h]	1_2_01223B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01223B7A mov eax, dword ptr fs:[00000030h]	1_2_01223B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FDB40 mov eax, dword ptr fs:[00000030h]	1_2_011FDB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8B58 mov eax, dword ptr fs:[00000030h]	1_2_012C8B58
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FDB60 mov ecx, dword ptr fs:[00000030h]	1_2_011FDB60
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C5BA5 mov eax, dword ptr fs:[00000030h]	1_2_012C5BA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B138A mov eax, dword ptr fs:[00000030h]	1_2_012B138A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AD380 mov ecx, dword ptr fs:[00000030h]	1_2_012AD380
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01201B8F mov eax, dword ptr fs:[00000030h]	1_2_01201B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01201B8F mov eax, dword ptr fs:[00000030h]	1_2_01201B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122B390 mov eax, dword ptr fs:[00000030h]	1_2_0122B390
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222397 mov eax, dword ptr fs:[00000030h]	1_2_01222397
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0121DBE9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov ecx, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov ecx, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov eax, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012753CA mov eax, dword ptr fs:[00000030h]	1_2_012753CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012753CA mov eax, dword ptr fs:[00000030h]	1_2_012753CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]	1_2_011FAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]	1_2_011FAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01234A2C mov eax, dword ptr fs:[00000030h]	1_2_01234A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01234A2C mov eax, dword ptr fs:[00000030h]	1_2_01234A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov ecx, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01208A0A mov eax, dword ptr fs:[00000030h]	1_2_01208A0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01213A1C mov eax, dword ptr fs:[00000030h]	1_2_01213A1C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h]	1_2_012BAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h]	1_2_012BAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AB260 mov eax, dword ptr fs:[00000030h]	1_2_012AB260
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AB260 mov eax, dword ptr fs:[00000030h]	1_2_012AB260
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8A62 mov eax, dword ptr fs:[00000030h]	1_2_012C8A62
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123927A mov eax, dword ptr fs:[00000030h]	1_2_0123927A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BEA55 mov eax, dword ptr fs:[00000030h]	1_2_012BEA55
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01284257 mov eax, dword ptr fs:[00000030h]	1_2_01284257
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0120AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0120AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0122FAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122D294 mov eax, dword ptr fs:[00000030h]	1_2_0122D294
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122D294 mov eax, dword ptr fs:[00000030h]	1_2_0122D294
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222AE4 mov eax, dword ptr fs:[00000030h]	1_2_01222AE4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222ACB mov eax, dword ptr fs:[00000030h]	1_2_01222ACB
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0127A537 mov eax, dword ptr fs:[00000030h]	1_2_0127A537
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BE539 mov eax, dword ptr fs:[00000030h]	1_2_012BE539
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8D34 mov eax, dword ptr fs:[00000030h]	1_2_012C8D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAD30 mov eax, dword ptr fs:[00000030h]	1_2_011FAD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C577 mov eax, dword ptr fs:[00000030h]	1_2_0121C577
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C577 mov eax, dword ptr fs:[00000030h]	1_2_0121C577
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01233D43 mov eax, dword ptr fs:[00000030h]	1_2_01233D43
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273540 mov eax, dword ptr fs:[00000030h]	1_2_01273540
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A3D40 mov eax, dword ptr fs:[00000030h]	1_2_012A3D40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01217D50 mov eax, dword ptr fs:[00000030h]	1_2_01217D50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C05AC mov eax, dword ptr fs:[00000030h]	1_2_012C05AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C05AC mov eax, dword ptr fs:[00000030h]	1_2_012C05AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012235A1 mov eax, dword ptr fs:[00000030h]	1_2_012235A1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FD9B mov eax, dword ptr fs:[00000030h]	1_2_0122FD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FD9B mov eax, dword ptr fs:[00000030h]	1_2_0122FD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A8DF1 mov eax, dword ptr fs:[00000030h]	1_2_012A8DF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122BC2C mov eax, dword ptr fs:[00000030h]	1_2_0122BC2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121746D mov eax, dword ptr fs:[00000030h]	1_2_0121746D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A44B mov eax, dword ptr fs:[00000030h]	1_2_0122A44B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128C450 mov eax, dword ptr fs:[00000030h]	1_2_0128C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128C450 mov eax, dword ptr fs:[00000030h]	1_2_0128C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120849B mov eax, dword ptr fs:[00000030h]	1_2_0120849B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B14FB mov eax, dword ptr fs:[00000030h]	1_2_012B14FB
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8CD6 mov eax, dword ptr fs:[00000030h]	1_2_012C8CD6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122E730 mov eax, dword ptr fs:[00000030h]	1_2_0122E730
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B73D mov eax, dword ptr fs:[00000030h]	1_2_0121B73D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B73D mov eax, dword ptr fs:[00000030h]	1_2_0121B73D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C070D mov eax, dword ptr fs:[00000030h]	1_2_012C070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C070D mov eax, dword ptr fs:[00000030h]	1_2_012C070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A70E mov eax, dword ptr fs:[00000030h]	1_2_0122A70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A70E mov eax, dword ptr fs:[00000030h]	1_2_0122A70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F4F2E mov eax, dword ptr fs:[00000030h]	1_2_011F4F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F4F2E mov eax, dword ptr fs:[00000030h]	1_2_011F4F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121F716 mov eax, dword ptr fs:[00000030h]	1_2_0121F716
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FF10 mov eax, dword ptr fs:[00000030h]	1_2_0128FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FF10 mov eax, dword ptr fs:[00000030h]	1_2_0128FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120FF60 mov eax, dword ptr fs:[00000030h]	1_2_0120FF60
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8F6A mov eax, dword ptr fs:[00000030h]	1_2_012C8F6A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120EF40 mov eax, dword ptr fs:[00000030h]	1_2_0120EF40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01208794 mov eax, dword ptr fs:[00000030h]	1_2_01208794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012337F5 mov eax, dword ptr fs:[00000030h]	1_2_012337F5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFE3F mov eax, dword ptr fs:[00000030h]	1_2_012AFE3F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01228E00 mov eax, dword ptr fs:[00000030h]	1_2_01228E00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1608 mov eax, dword ptr fs:[00000030h]	1_2_012B1608
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A61C mov eax, dword ptr fs:[00000030h]	1_2_0122A61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A61C mov eax, dword ptr fs:[00000030h]	1_2_0122A61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FE620 mov eax, dword ptr fs:[00000030h]	1_2_011FE620
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120766D mov eax, dword ptr fs:[00000030h]	1_2_0120766D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAE44 mov eax, dword ptr fs:[00000030h]	1_2_012BAE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAE44 mov eax, dword ptr fs:[00000030h]	1_2_012BAE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012746A7 mov eax, dword ptr fs:[00000030h]	1_2_012746A7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FE87 mov eax, dword ptr fs:[00000030h]	1_2_0128FE87
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012216E0 mov ecx, dword ptr fs:[00000030h]	1_2_012216E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012076E2 mov eax, dword ptr fs:[00000030h]	1_2_012076E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01238EC7 mov eax, dword ptr fs:[00000030h]	1_2_01238EC7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFEC0 mov eax, dword ptr fs:[00000030h]	1_2_012AFEC0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012236CC mov eax, dword ptr fs:[00000030h]	1_2_012236CC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8ED6 mov eax, dword ptr fs:[00000030h]	1_2_012C8ED6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942397 mov eax, dword ptr fs:[00000030h]	3_2_03942397
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394B390 mov eax, dword ptr fs:[00000030h]	3_2_0394B390
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D138A mov eax, dword ptr fs:[00000030h]	3_2_039D138A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CD380 mov ecx, dword ptr fs:[00000030h]	3_2_039CD380
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03921B8F mov eax, dword ptr fs:[00000030h]	3_2_03921B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03921B8F mov eax, dword ptr fs:[00000030h]	3_2_03921B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E5BA5 mov eax, dword ptr fs:[00000030h]	3_2_039E5BA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039953CA mov eax, dword ptr fs:[00000030h]	3_2_039953CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039953CA mov eax, dword ptr fs:[00000030h]	3_2_039953CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393DBE9 mov eax, dword ptr fs:[00000030h]	3_2_0393DBE9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov ecx, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov ecx, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov eax, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D131B mov eax, dword ptr fs:[00000030h]	3_2_039D131B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E8B58 mov eax, dword ptr fs:[00000030h]	3_2_039E8B58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391F358 mov eax, dword ptr fs:[00000030h]	3_2_0391F358
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391DB40 mov eax, dword ptr fs:[00000030h]	3_2_0391DB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03943B7A mov eax, dword ptr fs:[00000030h]	3_2_03943B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03943B7A mov eax, dword ptr fs:[00000030h]	3_2_03943B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0391DB60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394D294 mov eax, dword ptr fs:[00000030h]	3_2_0394D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394D294 mov eax, dword ptr fs:[00000030h]	3_2_0394D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0392AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0392AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394FAB0 mov eax, dword ptr fs:[00000030h]	3_2_0394FAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942ACB mov eax, dword ptr fs:[00000030h]	3_2_03942ACB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942AE4 mov eax, dword ptr fs:[00000030h]	3_2_03942AE4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov ecx, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391AA16 mov eax, dword ptr fs:[00000030h]	3_2_0391AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391AA16 mov eax, dword ptr fs:[00000030h]	3_2_0391AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DAA16 mov eax, dword ptr fs:[00000030h]	3_2_039DAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DAA16 mov eax, dword ptr fs:[00000030h]	3_2_039DAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03933A1C mov eax, dword ptr fs:[00000030h]	3_2_03933A1C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03928A0A mov eax, dword ptr fs:[00000030h]	3_2_03928A0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03954A2C mov eax, dword ptr fs:[00000030h]	3_2_03954A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03954A2C mov eax, dword ptr fs:[00000030h]	3_2_03954A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DEA55 mov eax, dword ptr fs:[00000030h]	3_2_039DEA55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039A4257 mov eax, dword ptr fs:[00000030h]	3_2_039A4257
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395927A mov eax, dword ptr fs:[00000030h]	3_2_0395927A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CB260 mov eax, dword ptr fs:[00000030h]	3_2_039CB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CB260 mov eax, dword ptr fs:[00000030h]	3_2_039CB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E8A62 mov eax, dword ptr fs:[00000030h]	3_2_039E8A62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942990 mov eax, dword ptr fs:[00000030h]	3_2_03942990
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393C182 mov eax, dword ptr fs:[00000030h]	3_2_0393C182
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394A185 mov eax, dword ptr fs:[00000030h]	3_2_0394A185
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0086F175
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00871C5F SetUnhandledExceptionFilter,	0_2_00871C5F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086BEA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0086BEA1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 119.81.172.165 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.194.171.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.115 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.138.72.189 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 168.206.180.179 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.248.196.204 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.213.99 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.160 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.208.77.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Users\user\Desktop\Purchase Order 40,7045.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: D90000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.241465822.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_008758AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_008750B8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoA,	0_2_0086F02E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_008759D6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0087596F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0087416E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00879AEC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00875A12
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_00879A12
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_0087AB36
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_008754E7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_0087146E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00874DCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_008755DC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00875683
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_008756DE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_0086AFDD

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_0087237A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0087237A

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
119.81.172.165	unknown	Singapore	36351	SOFTLAYERUS	true
160.153.136.3	unknown	United States	21501	GODADDY-AMSDE	true
45.194.171.26	unknown	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
74.208.236.115	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
3.138.72.189	unknown	United States	16509	AMAZON-02US	false
168.206.180.179	unknown	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
13.248.196.204	unknown	United States	16509	AMAZON-02US	true
35.246.6.109	unknown	United States	15169	GOOGLEUS	true
192.185.213.99	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
208.91.197.160	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
54.208.77.124	unknown	United States	14618	AMAZON-AESUS	true
198.54.117.212	unknown	United States	22612	NAMECHEAP-NETUS	false

Contacted Domains

Name	IP	Active
www.cashintl.com	54.208.77.124	true
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true
parkingpage.namecheap.com	198.54.117.212	true
sweetbasilmarketing.com	185.201.11.126	true
coveloungewineandwhiskey.com	34.102.136.180	true
capitalcitybombers.com	34.102.136.180	true
www.chemtradent.com	45.194.171.26	true
bailedao.leboweb.com	119.81.172.165	true
trafegopago.com	192.185.213.99	true
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	3.138.72.189	true
www.primeworldgroup.com	168.206.180.179	true
www.namofast.com	13.248.196.204	true
www.covid19salivatestdirect.com	208.91.197.160	true
www.ownumo.com	74.208.236.115	true
heartandcrowncloset.com	160.153.136.3	true
www.heartandcrowncloset.com	unknown	unknown
www.coveloungewineandwhiskey.com	unknown	unknown
www.trafegopago.com	unknown	unknown
www.placeduconfort.com	unknown	unknown
www.obsessingwealth.com	unknown	unknown
cdn.onenote.net	unknown	unknown
www.hyx20140813.com	unknown	unknown
www.capitalcitybombers.com	unknown	unknown
www.plantpowered.energy	unknown	unknown
www.sweetbasilmarketing.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.heartandcrowncloset.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB	true	Avira URL Cloud: safe	unknown
http://www.placeduconfort.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW	true	Avira URL Cloud: safe	unknown
http://www.namofast.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt	true	Avira URL Cloud: safe	unknown
http://www.hyx20140813.com/igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.ownumo.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA	true	Avira URL Cloud: safe	unknown
http://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.primeworldgroup.com/igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.chemtradent.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5	true	Avira URL Cloud: safe	unknown
http://www.coveloungewineandwhiskey.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+	true	Avira URL Cloud: safe	unknown
http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: malware	unknown
http://www.covid19salivatestdirect.com/igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.plantpowered.energy/igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.capitalcitybombers.com/igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.obsessingwealth.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Purchase Order 40,7045.exe	Virustotal: Detection: 40%			Perma Link
Source: Purchase Order 40,7045.exe	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Purchase Order 40,7045.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.Purchase Order 40,7045.exe.7f0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop edi	1_2_00415044
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop edi	1_2_00415C88
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop ebx	1_2_004066DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	3_2_02DE5044
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop ebx	3_2_02DD66DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	3_2_02DE5C88

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 13.248.196.204:80 -> 192.168.2.3:49750
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49752

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 160.153.136.3 160.153.136.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SOFTLAYERUS SOFTLAYERUS
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ownumo.com

Source: global traffic

Source: netsh.exe, 00000003.00000002.500404825.000000000419D000.00000004.00000001.sdmp	String found in binary or memory: http://browsehappy.com/
Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Source: Purchase Order 40,7045.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order 40,7045.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417BA0 NtCreateFile,	1_2_00417BA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417C50 NtReadFile,	1_2_00417C50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417CD0 NtClose,	1_2_00417CD0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417D80 NtAllocateVirtualMemory,	1_2_00417D80
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417C4C NtReadFile,	1_2_00417C4C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417CCA NtClose,	1_2_00417CCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01239910
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012399A0 NtCreateSection,LdrInitializeThunk,	1_2_012399A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01239860
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239840 NtDelayExecution,LdrInitializeThunk,	1_2_01239840
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012398F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_012398F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A20 NtResumeThread,LdrInitializeThunk,	1_2_01239A20
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01239A00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A50 NtCreateFile,LdrInitializeThunk,	1_2_01239A50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239540 NtReadFile,LdrInitializeThunk,	1_2_01239540
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012395D0 NtClose,LdrInitializeThunk,	1_2_012395D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01239710
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012397A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_012397A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01239780
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239FE0 NtCreateMutant,LdrInitializeThunk,	1_2_01239FE0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01239660
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012396E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_012396E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239950 NtQueueApcThread,	1_2_01239950
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012399D0 NtCreateProcessEx,	1_2_012399D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239820 NtEnumerateKey,	1_2_01239820
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123B040 NtSuspendThread,	1_2_0123B040
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012398A0 NtWriteVirtualMemory,	1_2_012398A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239B00 NtSetValueKey,	1_2_01239B00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A3B0 NtGetContextThread,	1_2_0123A3B0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A10 NtQuerySection,	1_2_01239A10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A80 NtOpenDirectoryObject,	1_2_01239A80
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239520 NtWaitForSingleObject,	1_2_01239520
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123AD30 NtSetContextThread,	1_2_0123AD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239560 NtWriteFile,	1_2_01239560
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012395F0 NtQueryInformationFile,	1_2_012395F0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239730 NtQueryVirtualMemory,	1_2_01239730
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A710 NtOpenProcessToken,	1_2_0123A710
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239760 NtOpenProcess,	1_2_01239760
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239770 NtSetInformationFile,	1_2_01239770
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A770 NtOpenThread,	1_2_0123A770
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239610 NtEnumerateValueKey,	1_2_01239610
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239670 NtQueryInformationProcess,	1_2_01239670
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239650 NtQueryValueKey,	1_2_01239650
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012396D0 NtCreateKey,	1_2_012396D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A50 NtCreateFile,LdrInitializeThunk,	3_2_03959A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039599A0 NtCreateSection,LdrInitializeThunk,	3_2_039599A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_03959910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959840 NtDelayExecution,LdrInitializeThunk,	3_2_03959840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03959860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959780 NtMapViewOfSection,LdrInitializeThunk,	3_2_03959780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959FE0 NtCreateMutant,LdrInitializeThunk,	3_2_03959FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959710 NtQueryInformationToken,LdrInitializeThunk,	3_2_03959710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039596D0 NtCreateKey,LdrInitializeThunk,	3_2_039596D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039596E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_039596E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039595D0 NtClose,LdrInitializeThunk,	3_2_039595D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959540 NtReadFile,LdrInitializeThunk,	3_2_03959540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A3B0 NtGetContextThread,	3_2_0395A3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959B00 NtSetValueKey,	3_2_03959B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A80 NtOpenDirectoryObject,	3_2_03959A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A10 NtQuerySection,	3_2_03959A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A00 NtProtectVirtualMemory,	3_2_03959A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A20 NtResumeThread,	3_2_03959A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039599D0 NtCreateProcessEx,	3_2_039599D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959950 NtQueueApcThread,	3_2_03959950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039598A0 NtWriteVirtualMemory,	3_2_039598A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039598F0 NtReadVirtualMemory,	3_2_039598F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959820 NtEnumerateKey,	3_2_03959820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395B040 NtSuspendThread,	3_2_0395B040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039597A0 NtUnmapViewOfSection,	3_2_039597A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A710 NtOpenProcessToken,	3_2_0395A710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959730 NtQueryVirtualMemory,	3_2_03959730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A770 NtOpenThread,	3_2_0395A770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959770 NtSetInformationFile,	3_2_03959770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959760 NtOpenProcess,	3_2_03959760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959610 NtEnumerateValueKey,	3_2_03959610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959650 NtQueryValueKey,	3_2_03959650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959670 NtQueryInformationProcess,	3_2_03959670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959660 NtAllocateVirtualMemory,	3_2_03959660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039595F0 NtQueryInformationFile,	3_2_039595F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395AD30 NtSetContextThread,	3_2_0395AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959520 NtWaitForSingleObject,	3_2_03959520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959560 NtWriteFile,	3_2_03959560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7BA0 NtCreateFile,	3_2_02DE7BA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7CD0 NtClose,	3_2_02DE7CD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7C50 NtReadFile,	3_2_02DE7C50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7CCA NtClose,	3_2_02DE7CCA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7C4C NtReadFile,	3_2_02DE7C4C

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086F895	0_2_0086F895
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876098	0_2_00876098
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876808	0_2_00876808
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087B14E	0_2_0087B14E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087BBF0	0_2_0087BBF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876BF0	0_2_00876BF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087DCD9	0_2_0087DCD9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00875C03	0_2_00875C03
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876436	0_2_00876436
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087B69F	0_2_0087B69F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087CFA1	0_2_0087CFA1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086A7E0	0_2_0086A7E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041C16E	1_2_0041C16E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00408A40	1_2_00408A40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00408A3B	1_2_00408A3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041C52F	1_2_0041C52F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402D8A	1_2_00402D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041BF03	1_2_0041BF03
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FF900	1_2_011FF900
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012CE824	1_2_012CE824
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1002	1_2_012B1002
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C20A8	1_2_012C20A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B090	1_2_0120B090
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C28EC	1_2_012C28EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2B28	1_2_012C2B28
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AB40	1_2_0121AB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122EBB0	1_2_0122EBB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B03DA	1_2_012B03DA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BDBD2	1_2_012BDBD2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122ABD8	1_2_0122ABD8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFA2B	1_2_012AFA2B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C22AE	1_2_012C22AE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2D07	1_2_012C2D07
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F0D20	1_2_011F0D20
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1D55	1_2_012C1D55
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C25DD	1_2_012C25DD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120841F	1_2_0120841F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BD466	1_2_012BD466
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1FF1	1_2_012C1FF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012CDFCE	1_2_012CDFCE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01216E30	1_2_01216E30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BD616	1_2_012BD616
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2EF7	1_2_012C2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394EBB0	3_2_0394EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D03DA	3_2_039D03DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394ABD8	3_2_0394ABD8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DDBD2	3_2_039DDBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2B28	3_2_039E2B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393AB40	3_2_0393AB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E22AE	3_2_039E22AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CFA2B	3_2_039CFA2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391F900	3_2_0391F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03934120	3_2_03934120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392B090	3_2_0392B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039420A0	3_2_039420A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E20A8	3_2_039E20A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E28EC	3_2_039E28EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D1002	3_2_039D1002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A830	3_2_0393A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039EE824	3_2_039EE824
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039EDFCE	3_2_039EDFCE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E1FF1	3_2_039E1FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2EF7	3_2_039E2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DD616	3_2_039DD616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03936E30	3_2_03936E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942581	3_2_03942581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E25DD	3_2_039E25DD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392D5E0	3_2_0392D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2D07	3_2_039E2D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03910D20	3_2_03910D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E1D55	3_2_039E1D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4496	3_2_039D4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392841F	3_2_0392841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DD466	3_2_039DD466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD8A40	3_2_02DD8A40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD8A3B	3_2_02DD8A3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEC16E	3_2_02DEC16E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2FB0	3_2_02DD2FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEBF03	3_2_02DEBF03
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2D90	3_2_02DD2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2D8A	3_2_02DD2D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEC52F	3_2_02DEC52F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: String function: 00871820 appears 38 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: String function: 011FB150 appears 133 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0391B150 appears 124 times

Sample file is different than original file name gathered from version info

Source: Purchase Order 40,7045.exe, 00000000.00000003.234862655.00000000023D6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
Source: Purchase Order 40,7045.exe, 00000001.00000002.269100880.00000000012EF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
Source: Purchase Order 40,7045.exe, 00000001.00000002.268943802.00000000011AC000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs Purchase Order 40,7045.exe

Yara signature match

Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@16/13

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01

Source: Purchase Order 40,7045.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Order 40,7045.exe	Virustotal: Detection: 40%
Source: Purchase Order 40,7045.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

File read: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'	Jump to behavior

Source: Purchase Order 40,7045.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netsh.pdb source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order 40,7045.exe, 00000000.00000003.233625901.0000000002450000.00000004.00000001.sdmp, Purchase Order 40,7045.exe, 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, netsh.exe, 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order 40,7045.exe, netsh.exe

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

0_2_00879B2F

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00871865 push ecx; ret	0_2_00871878
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_008864B9 push eax; ret	0_2_008864E9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00886538 push eax; ret	0_2_008864E9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086BF4F push ecx; ret	0_2_0086BF62
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00415913 push edx; retf	1_2_00415915
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AC62 push D8D19732h; iretd	1_2_0041AC69
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414D57 push esi; retf	1_2_00414D58
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AD65 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414DEA push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041ADB2 push eax; ret	1_2_0041ADB8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041ADBB push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414E7E push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AE1C push eax; ret	1_2_0041AE22
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414E24 push eax; ret	1_2_00414E32
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0040FF92 push 00000033h; iretd	1_2_0040FF98
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0124D0D1 push ecx; ret	1_2_0124D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0396D0D1 push ecx; ret	3_2_0396D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE5913 push edx; retf	3_2_02DE5915
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4E7E push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAE1C push eax; ret	3_2_02DEAE22
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4E24 push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DDFF92 push 00000033h; iretd	3_2_02DDFF98
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAC62 push D8D19732h; iretd	3_2_02DEAC69
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4DEA push eax; ret	3_2_02DE4E32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEADBB push eax; ret	3_2_02DEAE22
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEADB2 push eax; ret	3_2_02DEADB8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4D57 push esi; retf	3_2_02DE4D58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAD65 push eax; ret	3_2_02DEADB8

Source: C:\Windows\SysWOW64\netsh.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DD83D4 second address: 0000000002DD83DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DD876E second address: 0000000002DD8774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5720	Thread sleep time: -70000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 6852	Thread sleep time: -50000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.250034592.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&r
Source: explorer.exe, 00000002.00000002.506854506.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000002.508086144.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.252834409.000000000F685000.00000004.00000001.sdmp	Binary or memory string: lume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAq
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_004086A0 rdtsc

1_2_004086A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_00409900 LdrLoadDll,

1_2_00409900

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0086F175

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

0_2_00879B2F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00861FA0 mov eax, dword ptr fs:[00000030h]	0_2_00861FA0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00887A30 mov eax, dword ptr fs:[00000030h]	0_2_00887A30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_008885C4 mov eax, dword ptr fs:[00000030h]	0_2_008885C4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00888524 mov eax, dword ptr fs:[00000030h]	0_2_00888524
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00888561 mov eax, dword ptr fs:[00000030h]	0_2_00888561
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov ecx, dword ptr fs:[00000030h]	1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]	1_2_0122513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]	1_2_0122513A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]	1_2_011F9100
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]	1_2_0121B944
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]	1_2_0121B944
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]	1_2_011FB171
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]	1_2_011FB171
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC962 mov eax, dword ptr fs:[00000030h]	1_2_011FC962
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012769A6 mov eax, dword ptr fs:[00000030h]	1_2_012769A6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]	1_2_012261A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]	1_2_012261A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]	1_2_012B49A4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]	1_2_012751BE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]	1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C182 mov eax, dword ptr fs:[00000030h]	1_2_0121C182
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A185 mov eax, dword ptr fs:[00000030h]	1_2_0122A185
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222990 mov eax, dword ptr fs:[00000030h]	1_2_01222990
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012841E8 mov eax, dword ptr fs:[00000030h]	1_2_012841E8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]	1_2_011FB1E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]	1_2_0120B02A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]	1_2_0122002D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]	1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]	1_2_01277016
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]	1_2_012C4015
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]	1_2_012C4015
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2073 mov eax, dword ptr fs:[00000030h]	1_2_012B2073
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1074 mov eax, dword ptr fs:[00000030h]	1_2_012C1074
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]	1_2_01210050
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]	1_2_01210050
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]	1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012390AF mov eax, dword ptr fs:[00000030h]	1_2_012390AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]	1_2_0122F0BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9080 mov eax, dword ptr fs:[00000030h]	1_2_011F9080
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]	1_2_01273884
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]	1_2_01273884
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]	1_2_0121B8E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]	1_2_0121B8E4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F58EC mov eax, dword ptr fs:[00000030h]	1_2_011F58EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]	1_2_0128B8D0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]	1_2_011F40E1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]	1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B131B mov eax, dword ptr fs:[00000030h]	1_2_012B131B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FF358 mov eax, dword ptr fs:[00000030h]	1_2_011FF358
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01223B7A mov eax, dword ptr fs:[00000030h]	1_2_01223B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01223B7A mov eax, dword ptr fs:[00000030h]	1_2_01223B7A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FDB40 mov eax, dword ptr fs:[00000030h]	1_2_011FDB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8B58 mov eax, dword ptr fs:[00000030h]	1_2_012C8B58
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FDB60 mov ecx, dword ptr fs:[00000030h]	1_2_011FDB60
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C5BA5 mov eax, dword ptr fs:[00000030h]	1_2_012C5BA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]	1_2_01224BAD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B138A mov eax, dword ptr fs:[00000030h]	1_2_012B138A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AD380 mov ecx, dword ptr fs:[00000030h]	1_2_012AD380
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01201B8F mov eax, dword ptr fs:[00000030h]	1_2_01201B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01201B8F mov eax, dword ptr fs:[00000030h]	1_2_01201B8F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122B390 mov eax, dword ptr fs:[00000030h]	1_2_0122B390
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222397 mov eax, dword ptr fs:[00000030h]	1_2_01222397
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]	1_2_012203E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0121DBE9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov ecx, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov ecx, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov eax, dword ptr fs:[00000030h]	1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012753CA mov eax, dword ptr fs:[00000030h]	1_2_012753CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012753CA mov eax, dword ptr fs:[00000030h]	1_2_012753CA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]	1_2_0121A229
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]	1_2_011FAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]	1_2_011FAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01234A2C mov eax, dword ptr fs:[00000030h]	1_2_01234A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01234A2C mov eax, dword ptr fs:[00000030h]	1_2_01234A2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov ecx, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]	1_2_011F5210
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01208A0A mov eax, dword ptr fs:[00000030h]	1_2_01208A0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01213A1C mov eax, dword ptr fs:[00000030h]	1_2_01213A1C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h]	1_2_012BAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h]	1_2_012BAA16
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AB260 mov eax, dword ptr fs:[00000030h]	1_2_012AB260
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AB260 mov eax, dword ptr fs:[00000030h]	1_2_012AB260
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8A62 mov eax, dword ptr fs:[00000030h]	1_2_012C8A62
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123927A mov eax, dword ptr fs:[00000030h]	1_2_0123927A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]	1_2_011F9240
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BEA55 mov eax, dword ptr fs:[00000030h]	1_2_012BEA55
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01284257 mov eax, dword ptr fs:[00000030h]	1_2_01284257
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0120AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0120AAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0122FAB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122D294 mov eax, dword ptr fs:[00000030h]	1_2_0122D294
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122D294 mov eax, dword ptr fs:[00000030h]	1_2_0122D294
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]	1_2_011F52A5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]	1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222AE4 mov eax, dword ptr fs:[00000030h]	1_2_01222AE4
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222ACB mov eax, dword ptr fs:[00000030h]	1_2_01222ACB
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0127A537 mov eax, dword ptr fs:[00000030h]	1_2_0127A537
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BE539 mov eax, dword ptr fs:[00000030h]	1_2_012BE539
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]	1_2_01203D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8D34 mov eax, dword ptr fs:[00000030h]	1_2_012C8D34
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]	1_2_01224D3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAD30 mov eax, dword ptr fs:[00000030h]	1_2_011FAD30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C577 mov eax, dword ptr fs:[00000030h]	1_2_0121C577
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C577 mov eax, dword ptr fs:[00000030h]	1_2_0121C577
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01233D43 mov eax, dword ptr fs:[00000030h]	1_2_01233D43
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273540 mov eax, dword ptr fs:[00000030h]	1_2_01273540
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A3D40 mov eax, dword ptr fs:[00000030h]	1_2_012A3D40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01217D50 mov eax, dword ptr fs:[00000030h]	1_2_01217D50
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C05AC mov eax, dword ptr fs:[00000030h]	1_2_012C05AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C05AC mov eax, dword ptr fs:[00000030h]	1_2_012C05AC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012235A1 mov eax, dword ptr fs:[00000030h]	1_2_012235A1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]	1_2_011F2D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]	1_2_01221DB5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]	1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]	1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FD9B mov eax, dword ptr fs:[00000030h]	1_2_0122FD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FD9B mov eax, dword ptr fs:[00000030h]	1_2_0122FD9B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]	1_2_012BFDE2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A8DF1 mov eax, dword ptr fs:[00000030h]	1_2_012A8DF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]	1_2_01276DC9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122BC2C mov eax, dword ptr fs:[00000030h]	1_2_0122BC2C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]	1_2_012C740D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]	1_2_012B1C06
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]	1_2_01276C0A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121746D mov eax, dword ptr fs:[00000030h]	1_2_0121746D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]	1_2_0122AC7B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A44B mov eax, dword ptr fs:[00000030h]	1_2_0122A44B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128C450 mov eax, dword ptr fs:[00000030h]	1_2_0128C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128C450 mov eax, dword ptr fs:[00000030h]	1_2_0128C450
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120849B mov eax, dword ptr fs:[00000030h]	1_2_0120849B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]	1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B14FB mov eax, dword ptr fs:[00000030h]	1_2_012B14FB
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]	1_2_01276CF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8CD6 mov eax, dword ptr fs:[00000030h]	1_2_012C8CD6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122E730 mov eax, dword ptr fs:[00000030h]	1_2_0122E730
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B73D mov eax, dword ptr fs:[00000030h]	1_2_0121B73D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B73D mov eax, dword ptr fs:[00000030h]	1_2_0121B73D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C070D mov eax, dword ptr fs:[00000030h]	1_2_012C070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C070D mov eax, dword ptr fs:[00000030h]	1_2_012C070D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A70E mov eax, dword ptr fs:[00000030h]	1_2_0122A70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A70E mov eax, dword ptr fs:[00000030h]	1_2_0122A70E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F4F2E mov eax, dword ptr fs:[00000030h]	1_2_011F4F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F4F2E mov eax, dword ptr fs:[00000030h]	1_2_011F4F2E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121F716 mov eax, dword ptr fs:[00000030h]	1_2_0121F716
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FF10 mov eax, dword ptr fs:[00000030h]	1_2_0128FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FF10 mov eax, dword ptr fs:[00000030h]	1_2_0128FF10
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120FF60 mov eax, dword ptr fs:[00000030h]	1_2_0120FF60
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8F6A mov eax, dword ptr fs:[00000030h]	1_2_012C8F6A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120EF40 mov eax, dword ptr fs:[00000030h]	1_2_0120EF40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]	1_2_01277794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01208794 mov eax, dword ptr fs:[00000030h]	1_2_01208794
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012337F5 mov eax, dword ptr fs:[00000030h]	1_2_012337F5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFE3F mov eax, dword ptr fs:[00000030h]	1_2_012AFE3F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]	1_2_011FC600
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01228E00 mov eax, dword ptr fs:[00000030h]	1_2_01228E00
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1608 mov eax, dword ptr fs:[00000030h]	1_2_012B1608
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A61C mov eax, dword ptr fs:[00000030h]	1_2_0122A61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A61C mov eax, dword ptr fs:[00000030h]	1_2_0122A61C
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FE620 mov eax, dword ptr fs:[00000030h]	1_2_011FE620
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120766D mov eax, dword ptr fs:[00000030h]	1_2_0120766D
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]	1_2_0121AE73
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]	1_2_01207E41
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAE44 mov eax, dword ptr fs:[00000030h]	1_2_012BAE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAE44 mov eax, dword ptr fs:[00000030h]	1_2_012BAE44
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012746A7 mov eax, dword ptr fs:[00000030h]	1_2_012746A7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]	1_2_012C0EA5
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FE87 mov eax, dword ptr fs:[00000030h]	1_2_0128FE87
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012216E0 mov ecx, dword ptr fs:[00000030h]	1_2_012216E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012076E2 mov eax, dword ptr fs:[00000030h]	1_2_012076E2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01238EC7 mov eax, dword ptr fs:[00000030h]	1_2_01238EC7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFEC0 mov eax, dword ptr fs:[00000030h]	1_2_012AFEC0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012236CC mov eax, dword ptr fs:[00000030h]	1_2_012236CC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8ED6 mov eax, dword ptr fs:[00000030h]	1_2_012C8ED6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942397 mov eax, dword ptr fs:[00000030h]	3_2_03942397
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394B390 mov eax, dword ptr fs:[00000030h]	3_2_0394B390
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D138A mov eax, dword ptr fs:[00000030h]	3_2_039D138A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CD380 mov ecx, dword ptr fs:[00000030h]	3_2_039CD380
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03921B8F mov eax, dword ptr fs:[00000030h]	3_2_03921B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03921B8F mov eax, dword ptr fs:[00000030h]	3_2_03921B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]	3_2_03944BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E5BA5 mov eax, dword ptr fs:[00000030h]	3_2_039E5BA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039953CA mov eax, dword ptr fs:[00000030h]	3_2_039953CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039953CA mov eax, dword ptr fs:[00000030h]	3_2_039953CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]	3_2_039403E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393DBE9 mov eax, dword ptr fs:[00000030h]	3_2_0393DBE9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov ecx, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov ecx, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov eax, dword ptr fs:[00000030h]	3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D131B mov eax, dword ptr fs:[00000030h]	3_2_039D131B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]	3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E8B58 mov eax, dword ptr fs:[00000030h]	3_2_039E8B58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391F358 mov eax, dword ptr fs:[00000030h]	3_2_0391F358
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391DB40 mov eax, dword ptr fs:[00000030h]	3_2_0391DB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03943B7A mov eax, dword ptr fs:[00000030h]	3_2_03943B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03943B7A mov eax, dword ptr fs:[00000030h]	3_2_03943B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0391DB60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394D294 mov eax, dword ptr fs:[00000030h]	3_2_0394D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394D294 mov eax, dword ptr fs:[00000030h]	3_2_0394D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0392AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0392AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394FAB0 mov eax, dword ptr fs:[00000030h]	3_2_0394FAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]	3_2_039152A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942ACB mov eax, dword ptr fs:[00000030h]	3_2_03942ACB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942AE4 mov eax, dword ptr fs:[00000030h]	3_2_03942AE4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]	3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov ecx, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]	3_2_03915210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391AA16 mov eax, dword ptr fs:[00000030h]	3_2_0391AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391AA16 mov eax, dword ptr fs:[00000030h]	3_2_0391AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DAA16 mov eax, dword ptr fs:[00000030h]	3_2_039DAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DAA16 mov eax, dword ptr fs:[00000030h]	3_2_039DAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03933A1C mov eax, dword ptr fs:[00000030h]	3_2_03933A1C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03928A0A mov eax, dword ptr fs:[00000030h]	3_2_03928A0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03954A2C mov eax, dword ptr fs:[00000030h]	3_2_03954A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03954A2C mov eax, dword ptr fs:[00000030h]	3_2_03954A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]	3_2_0393A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DEA55 mov eax, dword ptr fs:[00000030h]	3_2_039DEA55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039A4257 mov eax, dword ptr fs:[00000030h]	3_2_039A4257
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]	3_2_03919240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395927A mov eax, dword ptr fs:[00000030h]	3_2_0395927A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CB260 mov eax, dword ptr fs:[00000030h]	3_2_039CB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CB260 mov eax, dword ptr fs:[00000030h]	3_2_039CB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E8A62 mov eax, dword ptr fs:[00000030h]	3_2_039E8A62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942990 mov eax, dword ptr fs:[00000030h]	3_2_03942990
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393C182 mov eax, dword ptr fs:[00000030h]	3_2_0393C182
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394A185 mov eax, dword ptr fs:[00000030h]	3_2_0394A185
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]	3_2_039951BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]	3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]	3_2_039399BF

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0086F175
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00871C5F SetUnhandledExceptionFilter,	0_2_00871C5F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086BEA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0086BEA1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 119.81.172.165 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.194.171.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.115 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.138.72.189 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 168.206.180.179 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.248.196.204 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.213.99 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.160 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.208.77.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Users\user\Desktop\Purchase Order 40,7045.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: D90000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.241465822.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_008758AF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_008750B8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoA,	0_2_0086F02E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_008759D6
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0087596F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0087416E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00879AEC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00875A12
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_00879A12
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_0087AB36
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_008754E7
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_0087146E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00874DCA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_008755DC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00875683
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_008756DE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_0086AFDD

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_0087237A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0087237A

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

ID:	321387
Product:	CloudBasic
Start time:	09:21:27
Start date:	21.11.2020
Sample:	Purchase Order 40,7045.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2566aac2faf57e27d8778f2c61bac6d3
SHA1:	b163ec807fe59a0f85f2d964fe1e8ffa8adab77e
SHA256:	7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Analysis Report Purchase Order 40,7045.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs