Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order 40,7045.exe

Overview

General Information

Sample Name:Purchase Order 40,7045.exe
Analysis ID:321387
MD5:2566aac2faf57e27d8778f2c61bac6d3
SHA1:b163ec807fe59a0f85f2d964fe1e8ffa8adab77e
SHA256:7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order 40,7045.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045.exe' MD5: 2566AAC2FAF57E27D8778F2C61BAC6D3)
    • Purchase Order 40,7045.exe (PID: 6932 cmdline: C:\Users\user\Desktop\Purchase Order 40,7045.exe MD5: 2566AAC2FAF57E27D8778F2C61BAC6D3)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 6984 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 5700 cmdline: /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16089:$sqlite3step: 68 34 1C 7B E1
    • 0x1619c:$sqlite3step: 68 34 1C 7B E1
    • 0x160b8:$sqlite3text: 68 38 2A 90 C5
    • 0x161dd:$sqlite3text: 68 38 2A 90 C5
    • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16089:$sqlite3step: 68 34 1C 7B E1
        • 0x1619c:$sqlite3step: 68 34 1C 7B E1
        • 0x160b8:$sqlite3text: 68 38 2A 90 C5
        • 0x161dd:$sqlite3text: 68 38 2A 90 C5
        • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Purchase Order 40,7045.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Purchase Order 40,7045.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_JlAvira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order 40,7045.exeVirustotal: Detection: 40%Perma Link
          Source: Purchase Order 40,7045.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase Order 40,7045.exeJoe Sandbox ML: detected
          Source: 0.2.Purchase Order 40,7045.exe.7f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 4x nop then pop edi1_2_00415044
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 4x nop then pop edi1_2_00415C88
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 4x nop then pop ebx1_2_004066DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi3_2_02DE5044
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop ebx3_2_02DD66DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi3_2_02DE5C88

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 13.248.196.204:80 -> 192.168.2.3:49750
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49752
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ownumo.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Sat, 21 Nov 2020 08:23:14 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7
          Source: netsh.exe, 00000003.00000002.500404825.000000000419D000.00000004.00000001.sdmpString found in binary or memory: http://browsehappy.com/
          Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Purchase Order 40,7045.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order 40,7045.exe
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00417BA0 NtCreateFile,1_2_00417BA0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00417C50 NtReadFile,1_2_00417C50
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00417CD0 NtClose,1_2_00417CD0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00417D80 NtAllocateVirtualMemory,1_2_00417D80
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00417C4C NtReadFile,1_2_00417C4C
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00417CCA NtClose,1_2_00417CCA
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01239910
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012399A0 NtCreateSection,LdrInitializeThunk,1_2_012399A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01239860
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239840 NtDelayExecution,LdrInitializeThunk,1_2_01239840
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012398F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_012398F0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239A20 NtResumeThread,LdrInitializeThunk,1_2_01239A20
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01239A00
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239A50 NtCreateFile,LdrInitializeThunk,1_2_01239A50
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239540 NtReadFile,LdrInitializeThunk,1_2_01239540
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012395D0 NtClose,LdrInitializeThunk,1_2_012395D0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239710 NtQueryInformationToken,LdrInitializeThunk,1_2_01239710
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012397A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_012397A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239780 NtMapViewOfSection,LdrInitializeThunk,1_2_01239780
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239FE0 NtCreateMutant,LdrInitializeThunk,1_2_01239FE0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01239660
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012396E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_012396E0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239950 NtQueueApcThread,1_2_01239950
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012399D0 NtCreateProcessEx,1_2_012399D0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239820 NtEnumerateKey,1_2_01239820
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0123B040 NtSuspendThread,1_2_0123B040
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012398A0 NtWriteVirtualMemory,1_2_012398A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239B00 NtSetValueKey,1_2_01239B00
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0123A3B0 NtGetContextThread,1_2_0123A3B0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239A10 NtQuerySection,1_2_01239A10
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239A80 NtOpenDirectoryObject,1_2_01239A80
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239520 NtWaitForSingleObject,1_2_01239520
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0123AD30 NtSetContextThread,1_2_0123AD30
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239560 NtWriteFile,1_2_01239560
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012395F0 NtQueryInformationFile,1_2_012395F0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239730 NtQueryVirtualMemory,1_2_01239730
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0123A710 NtOpenProcessToken,1_2_0123A710
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239760 NtOpenProcess,1_2_01239760
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239770 NtSetInformationFile,1_2_01239770
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0123A770 NtOpenThread,1_2_0123A770
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239610 NtEnumerateValueKey,1_2_01239610
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239670 NtQueryInformationProcess,1_2_01239670
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01239650 NtQueryValueKey,1_2_01239650
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012396D0 NtCreateKey,1_2_012396D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959A50 NtCreateFile,LdrInitializeThunk,3_2_03959A50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039599A0 NtCreateSection,LdrInitializeThunk,3_2_039599A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_03959910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959840 NtDelayExecution,LdrInitializeThunk,3_2_03959840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959860 NtQuerySystemInformation,LdrInitializeThunk,3_2_03959860
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959780 NtMapViewOfSection,LdrInitializeThunk,3_2_03959780
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959FE0 NtCreateMutant,LdrInitializeThunk,3_2_03959FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959710 NtQueryInformationToken,LdrInitializeThunk,3_2_03959710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039596D0 NtCreateKey,LdrInitializeThunk,3_2_039596D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039596E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_039596E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039595D0 NtClose,LdrInitializeThunk,3_2_039595D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959540 NtReadFile,LdrInitializeThunk,3_2_03959540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0395A3B0 NtGetContextThread,3_2_0395A3B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959B00 NtSetValueKey,3_2_03959B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959A80 NtOpenDirectoryObject,3_2_03959A80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959A10 NtQuerySection,3_2_03959A10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959A00 NtProtectVirtualMemory,3_2_03959A00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959A20 NtResumeThread,3_2_03959A20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039599D0 NtCreateProcessEx,3_2_039599D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959950 NtQueueApcThread,3_2_03959950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039598A0 NtWriteVirtualMemory,3_2_039598A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039598F0 NtReadVirtualMemory,3_2_039598F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959820 NtEnumerateKey,3_2_03959820
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0395B040 NtSuspendThread,3_2_0395B040
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039597A0 NtUnmapViewOfSection,3_2_039597A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0395A710 NtOpenProcessToken,3_2_0395A710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959730 NtQueryVirtualMemory,3_2_03959730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0395A770 NtOpenThread,3_2_0395A770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959770 NtSetInformationFile,3_2_03959770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959760 NtOpenProcess,3_2_03959760
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959610 NtEnumerateValueKey,3_2_03959610
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959650 NtQueryValueKey,3_2_03959650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959670 NtQueryInformationProcess,3_2_03959670
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959660 NtAllocateVirtualMemory,3_2_03959660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039595F0 NtQueryInformationFile,3_2_039595F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0395AD30 NtSetContextThread,3_2_0395AD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959520 NtWaitForSingleObject,3_2_03959520
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03959560 NtWriteFile,3_2_03959560
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE7BA0 NtCreateFile,3_2_02DE7BA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE7CD0 NtClose,3_2_02DE7CD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE7C50 NtReadFile,3_2_02DE7C50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE7CCA NtClose,3_2_02DE7CCA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE7C4C NtReadFile,3_2_02DE7C4C
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0086F8950_2_0086F895
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_008760980_2_00876098
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_008768080_2_00876808
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0087B14E0_2_0087B14E
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0087BBF00_2_0087BBF0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00876BF00_2_00876BF0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0087DCD90_2_0087DCD9
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00875C030_2_00875C03
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_008764360_2_00876436
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0087B69F0_2_0087B69F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0087CFA10_2_0087CFA1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0086A7E00_2_0086A7E0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0041C16E1_2_0041C16E
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00408A401_2_00408A40
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00408A3B1_2_00408A3B
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0041C52F1_2_0041C52F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00402D8A1_2_00402D8A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0041BF031_2_0041BF03
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012141201_2_01214120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011FF9001_2_011FF900
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012CE8241_2_012CE824
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121A8301_2_0121A830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B10021_2_012B1002
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012220A01_2_012220A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C20A81_2_012C20A8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0120B0901_2_0120B090
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C28EC1_2_012C28EC
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C2B281_2_012C2B28
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121A3091_2_0121A309
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121AB401_2_0121AB40
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122EBB01_2_0122EBB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012A23E31_2_012A23E3
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B03DA1_2_012B03DA
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012BDBD21_2_012BDBD2
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122ABD81_2_0122ABD8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012AFA2B1_2_012AFA2B
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C22AE1_2_012C22AE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B4AEF1_2_012B4AEF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C2D071_2_012C2D07
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011F0D201_2_011F0D20
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C1D551_2_012C1D55
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012225811_2_01222581
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B2D821_2_012B2D82
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0120D5E01_2_0120D5E0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C25DD1_2_012C25DD
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0120841F1_2_0120841F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012BD4661_2_012BD466
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B44961_2_012B4496
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C1FF11_2_012C1FF1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012CDFCE1_2_012CDFCE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01216E301_2_01216E30
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012BD6161_2_012BD616
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C2EF71_2_012C2EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0394EBB03_2_0394EBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039D03DA3_2_039D03DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0394ABD83_2_0394ABD8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039DDBD23_2_039DDBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039C23E33_2_039C23E3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0393A3093_2_0393A309
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E2B283_2_039E2B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0393AB403_2_0393AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E22AE3_2_039E22AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039D4AEF3_2_039D4AEF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039CFA2B3_2_039CFA2B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039399BF3_2_039399BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0391F9003_2_0391F900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039341203_2_03934120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0392B0903_2_0392B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039420A03_2_039420A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E20A83_2_039E20A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E28EC3_2_039E28EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039D10023_2_039D1002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0393A8303_2_0393A830
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039EE8243_2_039EE824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039EDFCE3_2_039EDFCE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E1FF13_2_039E1FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E2EF73_2_039E2EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039DD6163_2_039DD616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03936E303_2_03936E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039425813_2_03942581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E25DD3_2_039E25DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0392D5E03_2_0392D5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E2D073_2_039E2D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03910D203_2_03910D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039E1D553_2_039E1D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039D44963_2_039D4496
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0392841F3_2_0392841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_039DD4663_2_039DD466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DD8A403_2_02DD8A40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DD8A3B3_2_02DD8A3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DEC16E3_2_02DEC16E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DD2FB03_2_02DD2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DEBF033_2_02DEBF03
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DD2D903_2_02DD2D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DD2D8A3_2_02DD2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DEC52F3_2_02DEC52F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: String function: 00871820 appears 38 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: String function: 011FB150 appears 133 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0391B150 appears 124 times
          Source: Purchase Order 40,7045.exe, 00000000.00000003.234862655.00000000023D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
          Source: Purchase Order 40,7045.exe, 00000001.00000002.269100880.00000000012EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
          Source: Purchase Order 40,7045.exe, 00000001.00000002.268943802.00000000011AC000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs Purchase Order 40,7045.exe
          Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@16/13
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
          Source: Purchase Order 40,7045.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order 40,7045.exeVirustotal: Detection: 40%
          Source: Purchase Order 40,7045.exeReversingLabs: Detection: 33%
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeFile read: C:\Users\user\Desktop\Purchase Order 40,7045.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045.exe 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeProcess created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'Jump to behavior
          Source: Purchase Order 40,7045.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netsh.pdb source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase Order 40,7045.exe, 00000000.00000003.233625901.0000000002450000.00000004.00000001.sdmp, Purchase Order 40,7045.exe, 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, netsh.exe, 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase Order 40,7045.exe, netsh.exe
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00879B2F LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00879B2F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00871865 push ecx; ret 0_2_00871878
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_008864B9 push eax; ret 0_2_008864E9
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00886538 push eax; ret 0_2_008864E9
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0086BF4F push ecx; ret 0_2_0086BF62
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00415913 push edx; retf 1_2_00415915
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0041AC62 push D8D19732h; iretd 1_2_0041AC69
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00414D57 push esi; retf 1_2_00414D58
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0041AD65 push eax; ret 1_2_0041ADB8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00414DEA push eax; ret 1_2_00414E32
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0041ADB2 push eax; ret 1_2_0041ADB8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0041ADBB push eax; ret 1_2_0041AE22
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00414E7E push eax; ret 1_2_00414E32
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0041AE1C push eax; ret 1_2_0041AE22
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00414E24 push eax; ret 1_2_00414E32
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0040FF92 push 00000033h; iretd 1_2_0040FF98
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0124D0D1 push ecx; ret 1_2_0124D0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0396D0D1 push ecx; ret 3_2_0396D0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE5913 push edx; retf 3_2_02DE5915
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE4E7E push eax; ret 3_2_02DE4E32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DEAE1C push eax; ret 3_2_02DEAE22
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE4E24 push eax; ret 3_2_02DE4E32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DDFF92 push 00000033h; iretd 3_2_02DDFF98
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DEAC62 push D8D19732h; iretd 3_2_02DEAC69
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE4DEA push eax; ret 3_2_02DE4E32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DEADBB push eax; ret 3_2_02DEAE22
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DEADB2 push eax; ret 3_2_02DEADB8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DE4D57 push esi; retf 3_2_02DE4D58
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_02DEAD65 push eax; ret 3_2_02DEADB8
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeRDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002DD83D4 second address: 0000000002DD83DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002DD876E second address: 0000000002DD8774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_004086A0 rdtsc 1_2_004086A0
          Source: C:\Windows\explorer.exe TID: 5720Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 6852Thread sleep time: -50000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.250034592.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&r
          Source: explorer.exe, 00000002.00000002.506854506.0000000004E61000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000002.00000002.508086144.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.252834409.000000000F685000.00000004.00000001.sdmpBinary or memory string: lume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAq
          Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_004086A0 rdtsc 1_2_004086A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_00409900 LdrLoadDll,1_2_00409900
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0086F175
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00879B2F LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00879B2F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00861FA0 mov eax, dword ptr fs:[00000030h]0_2_00861FA0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00887A30 mov eax, dword ptr fs:[00000030h]0_2_00887A30
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_008885C4 mov eax, dword ptr fs:[00000030h]0_2_008885C4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00888524 mov eax, dword ptr fs:[00000030h]0_2_00888524
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 0_2_00888561 mov eax, dword ptr fs:[00000030h]0_2_00888561
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]1_2_01214120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]1_2_01214120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]1_2_01214120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]1_2_01214120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01214120 mov ecx, dword ptr fs:[00000030h]1_2_01214120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]1_2_0122513A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]1_2_0122513A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]1_2_011F9100
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]1_2_011F9100
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]1_2_011F9100
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]1_2_0121B944
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]1_2_0121B944
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]1_2_011FB171
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]1_2_011FB171
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011FC962 mov eax, dword ptr fs:[00000030h]1_2_011FC962
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012769A6 mov eax, dword ptr fs:[00000030h]1_2_012769A6
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]1_2_012261A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]1_2_012261A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]1_2_012B49A4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]1_2_012B49A4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]1_2_012B49A4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]1_2_012B49A4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]1_2_012751BE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]1_2_012751BE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]1_2_012751BE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]1_2_012751BE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]1_2_012199BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121C182 mov eax, dword ptr fs:[00000030h]1_2_0121C182
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122A185 mov eax, dword ptr fs:[00000030h]1_2_0122A185
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01222990 mov eax, dword ptr fs:[00000030h]1_2_01222990
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012841E8 mov eax, dword ptr fs:[00000030h]1_2_012841E8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]1_2_011FB1E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]1_2_011FB1E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]1_2_011FB1E1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]1_2_0120B02A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]1_2_0120B02A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]1_2_0120B02A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]1_2_0120B02A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]1_2_0122002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]1_2_0122002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]1_2_0122002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]1_2_0122002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]1_2_0122002D
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]1_2_0121A830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]1_2_0121A830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]1_2_0121A830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]1_2_0121A830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]1_2_01277016
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]1_2_01277016
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]1_2_01277016
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]1_2_012C4015
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]1_2_012C4015
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012B2073 mov eax, dword ptr fs:[00000030h]1_2_012B2073
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012C1074 mov eax, dword ptr fs:[00000030h]1_2_012C1074
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]1_2_01210050
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]1_2_01210050
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]1_2_012220A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]1_2_012220A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]1_2_012220A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]1_2_012220A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]1_2_012220A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]1_2_012220A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_012390AF mov eax, dword ptr fs:[00000030h]1_2_012390AF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122F0BF mov ecx, dword ptr fs:[00000030h]1_2_0122F0BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]1_2_0122F0BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]1_2_0122F0BF
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011F9080 mov eax, dword ptr fs:[00000030h]1_2_011F9080
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]1_2_01273884
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]1_2_01273884
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]1_2_0121B8E4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]1_2_0121B8E4
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_011F58EC mov eax, dword ptr fs:[00000030h]1_2_011F58EC
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]1_2_0128B8D0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0128B8D0 mov ecx, dword ptr fs:[00000030h]1_2_0128B8D0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]1_2_0128B8D0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045.exeCode function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]1_2_0128B8D0
          Source: