Play interactive tour

Edit tour

Analysis Report purchase order.exe

Overview

General Information

Sample Name:	purchase order.exe
Analysis ID:	323034
MD5:	975187a07455d3cbf38ec878d893b490
SHA1:	af8ddbf775cdb9dbd3776f717c192094202127be
SHA256:	009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

purchase order.exe (PID: 3900 cmdline: 'C:\Users\user\Desktop\purchase order.exe' MD5: 975187A07455D3CBF38EC878D893B490)

purchase order.exe (PID: 4672 cmdline: C:\Users\user\Desktop\purchase order.exe MD5: 975187A07455D3CBF38EC878D893B490)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msdt.exe (PID: 6468 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

cmd.exe (PID: 6508 cmdline: /c del 'C:\Users\user\Desktop\purchase order.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x367a88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x367cf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3942a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x394512:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x373815:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3a0035:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x373301:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x39fb21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x373917:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3a0137:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x373a8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3a02af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x36870a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x394f2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x37257c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x39ed9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x369403:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x395c23:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x379687:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3a5ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x37a68a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3765a9:$sqlite3step: 68 34 1C 7B E1 0x3766bc:$sqlite3step: 68 34 1C 7B E1 0x3a2dc9:$sqlite3step: 68 34 1C 7B E1 0x3a2edc:$sqlite3step: 68 34 1C 7B E1 0x3765d8:$sqlite3text: 68 38 2A 90 C5 0x3766fd:$sqlite3text: 68 38 2A 90 C5 0x3a2df8:$sqlite3text: 68 38 2A 90 C5 0x3a2f1d:$sqlite3text: 68 38 2A 90 C5 0x3765eb:$sqlite3blob: 68 53 D8 7F 8C 0x376713:$sqlite3blob: 68 53 D8 7F 8C 0x3a2e0b:$sqlite3blob: 68 53 D8 7F 8C 0x3a2f33:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: purchase order.exe PID: 3900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.purchase order.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.purchase order.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.purchase order.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
2.2.purchase order.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.purchase order.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.purchase order.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: purchase order.exe	Virustotal: Detection: 28%			Perma Link
Source: purchase order.exe	ReversingLabs: Detection: 19%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: purchase order.exe

Joe Sandbox ML: detected

Source: 2.2.purchase order.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\purchase order.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.6:49750

Source: global traffic	HTTP traffic detected: GET /sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp HTTP/1.1Host: www.rettexo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp HTTP/1.1Host: www.makgxoimisitzer.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp HTTP/1.1Host: www.purehempbotanicalsinfo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: UNMETEREDCA UNMETEREDCA
Source: Joe Sandbox View	ASN Name: TOTAL-SERVER-SOLUTIONSUS TOTAL-SERVER-SOLUTIONSUS

Source: global traffic	HTTP traffic detected: GET /sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp HTTP/1.1Host: www.rettexo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp HTTP/1.1Host: www.makgxoimisitzer.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp HTTP/1.1Host: www.purehempbotanicalsinfo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: purchase order.exe, 00000000.00000002.355213949.0000000002CD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.357823561.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: purchase order.exe

Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B1015C NtQueryInformationProcess,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B10B88 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041A050 NtClose,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041A100 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00419F20 NtCreateFile,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00419FD0 NtReadFile,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00419FCA NtReadFile,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017EB040 NtSuspendThread,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017EA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9A10 NtQuerySection,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9560 NtWriteFile,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017EAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017EA770 NtOpenThread,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9760 NtOpenProcess,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017EA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E96D0 NtCreateKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048995D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048996D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048996E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048999A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048995F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0489AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899560 NtWriteFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048997A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0489A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899760 NtOpenProcess,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0489A770 NtOpenThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048998A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048998F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0489B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048999D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899A10 NtQuerySection,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899A20 NtResumeThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0489A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04899B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063A050 NtClose,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063A100 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_00639F20 NtCreateFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_00639FD0 NtReadFile,
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_00639FCA NtReadFile,

Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B10470
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B1CB7C
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B10940
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B17C80
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B10931
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B1ACF0
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B1FBF8
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B17C71
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_02B1DD90
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_063ABED8
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_063A6520
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_063A650F
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_063A0040
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_06A2ACA0
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_06A27C90
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_06A25470
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_06A262A0
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_06A24F20
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041D853
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00401030
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041D38E
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00402D88
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00402D90
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00409E30
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041E73A
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00402FB0
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C4120
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AF900
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018720A8
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018728EC
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861002
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0187E824
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D20A0
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BB090
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186DBD2
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01872B28
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DEBB0
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018722AE
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A0D20
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018725DD
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01872D07
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BD5E0
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01871D55
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2581
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B841F
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186D466
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01871FF1
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C6E30
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01872EF7
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186D616
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491D466
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04882581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049225DD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486D5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04922D07
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04850D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04921D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04922EF7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491D616
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04876E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0492DFCE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04921FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486B090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048820A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049220A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049228EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0492E824
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485F900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04874120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049222AE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0490FA2B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488EBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491DBD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049103DA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04922B28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487AB40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063D853
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063D816
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063D38E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_00622D88
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_00622D90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_00629E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063E73A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_00622FB0

Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 0485B150 appears 48 times
Source: C:\Users\user\Desktop\purchase order.exe	Code function: String function: 017AB150 appears 35 times

Source: purchase order.exe, 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs purchase order.exe
Source: purchase order.exe, 00000000.00000000.333598877.00000000009B0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe
Source: purchase order.exe, 00000002.00000002.395144348.000000000189F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs purchase order.exe
Source: purchase order.exe, 00000002.00000000.353042240.0000000000CD0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe
Source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs purchase order.exe
Source: purchase order.exe	Binary or memory string: OriginalFilenameL6HC.exeP vs purchase order.exe

Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@6/3

Source: C:\Users\user\Desktop\purchase order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purchase order.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_01

Source: purchase order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\purchase order.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\purchase order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: purchase order.exe	Virustotal: Detection: 28%
Source: purchase order.exe	ReversingLabs: Detection: 19%

Source: unknown	Process created: C:\Users\user\Desktop\purchase order.exe 'C:\Users\user\Desktop\purchase order.exe'
Source: unknown	Process created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exe
Source: unknown	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\purchase order.exe	Process created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exe
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'

Source: C:\Users\user\Desktop\purchase order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\Desktop\purchase order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: purchase order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: purchase order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.377355938.0000000007BA0000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: purchase order.exe, 00000002.00000002.395144348.000000000189F000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.601559435.0000000004830000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: purchase order.exe, msdt.exe
Source:	Binary string: msdt.pdb source: purchase order.exe, 00000002.00000002.395621910.0000000003380000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.377355938.0000000007BA0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_063A5252 push ecx; iretd
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_063A2B1C push es; iretd
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 0_2_06A2E18D push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041D075 push eax; ret
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041C802 push esi; iretd
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041D0C2 push eax; ret
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041D0CB push eax; ret
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041E172 pushfd ; ret
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041D12C push eax; ret
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_004182CC push cs; retf
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041E4F5 push dword ptr [537421FAh]; ret
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_00419C92 pushfd ; iretd
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0041674D push 8EAE14C8h; iretd
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_004167AE push C6E9D42Ah; ret
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017FD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048AD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063D075 push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063C802 push esi; iretd
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063D0C2 push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063D0CB push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063E172 pushfd ; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063D12C push eax; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_006382CC push cs; retf
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063E4F5 push dword ptr [537421FAh]; ret
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_00639C92 pushfd ; iretd
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0063674D push 8EAE14C8h; iretd
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_006367AE push C6E9D42Ah; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.23319521913

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEE

Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\purchase order.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: purchase order.exe PID: 3900, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\purchase order.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\purchase order.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\purchase order.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 00000000006298E4 second address: 00000000006298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000000629B4E second address: 0000000000629B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\purchase order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\Desktop\purchase order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Desktop\purchase order.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Desktop\purchase order.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Users\user\Desktop\purchase order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\purchase order.exe

Code function: 2_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\purchase order.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\purchase order.exe TID: 5016	Thread sleep time: -49972s >= -30000s
Source: C:\Users\user\Desktop\purchase order.exe TID: 4456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 7048	Thread sleep time: -64000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000000.378092448.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.378015974.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: explorer.exe, 00000003.00000000.374586186.0000000006410000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.612924741.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.381193325.000000000D484000.00000004.00000001.sdmp	Binary or memory string: 8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: purchase order.exe, 00000000.00000002.355593298.0000000002F08000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.378386869.0000000008540000.00000004.00000001.sdmp	Binary or memory string: c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&-
Source: explorer.exe, 00000003.00000000.374586186.0000000006410000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: purchase order.exe, 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.378015974.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.377852959.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.377852959.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: purchase order.exe, 00000000.00000002.355570300.0000000002F00000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.378092448.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000003.00000000.373701178.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000003.00000000.357823561.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\purchase order.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\purchase order.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\purchase order.exe

Code function: 2_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\purchase order.exe

Code function: 2_2_0040ACC0 LdrLoadDll,

Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018269A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018341E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01823884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01823884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01874015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01874015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01827016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01827016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01827016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01871074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01862073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0185D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017ADB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01875BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017ADB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01878B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01834257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0185B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0185B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01878A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01858DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01878D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0182A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01823540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017C746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01878CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018614FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01826C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0187740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0187740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0187740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01827794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01827794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01827794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017BEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017A4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0187070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0187070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01878F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0183FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01870EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_018246A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0185FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01878ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017DA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_01861608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017B76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017D36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_017E8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0185FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\purchase order.exe	Code function: 2_2_0186AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04928CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049114FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0492740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0492740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0492740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04882581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04882581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04882581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04882581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048835A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04881DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04908DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04928D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04884D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048DA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04893D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04903D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04877D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04920EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04928ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048836CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04898EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0490FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048676E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048816E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04888E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04911608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0490FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04868794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048937F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0492070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0492070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04854F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04854F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04928F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04859080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048990AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048558EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04924015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04924015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04870050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04870050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04912073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04921074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04882990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048E41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04859100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04859100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04859100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04874120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04874120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04874120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04874120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04874120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0487B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_048552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0486AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0488FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04882ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04882AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0491AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04868A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0485AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04855210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04855210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04855210 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\purchase order.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\purchase order.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\msdt.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\purchase order.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Network Connect: 154.3.112.106 80
Source: C:\Windows\explorer.exe	Network Connect: 192.252.210.84 80

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\purchase order.exe

Memory written: C:\Users\user\Desktop\purchase order.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\purchase order.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\purchase order.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Users\user\Desktop\purchase order.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\purchase order.exe	Thread register set: target process: 3440
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3440

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\purchase order.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\purchase order.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: F60000

Source: C:\Users\user\Desktop\purchase order.exe	Process created: C:\Users\user\Desktop\purchase order.exe C:\Users\user\Desktop\purchase order.exe
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\purchase order.exe'

Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000003.00000002.600093828.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.601109998.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\purchase order.exe	Queries volume information: C:\Users\user\Desktop\purchase order.exe VolumeInformation
Source: C:\Users\user\Desktop\purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\purchase order.exe

Code function: 0_2_06A2A4C0 GetUserNameA,

Source: C:\Users\user\Desktop\purchase order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.purchase order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.purchase order.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery331	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Virtualization/Sandbox Evasion14	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion14	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing2	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
purchase order.exe	29%	Virustotal		Browse
purchase order.exe	19%	ReversingLabs	Win32.Trojan.Wacatac
purchase order.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.purchase order.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.purehempbotanicalsinfo.com/sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp	0%	Avira URL Cloud	safe
http://www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.makgxoimisitzer.info/sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rettexo.com	34.102.136.180	true	true	unknown
makgxoimisitzer.info	192.252.210.84	true	true	unknown
www.keystonefulfillment.com	52.58.78.16	true	false	unknown
purehempbotanicalsinfo.com	154.3.112.106	true	true	unknown
www.makgxoimisitzer.info	unknown	unknown	true	unknown
www.rettexo.com	unknown	unknown	true	unknown
g.msn.com	unknown	unknown	false	high
www.purehempbotanicalsinfo.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.purehempbotanicalsinfo.com/sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp	true	Avira URL Cloud: safe	unknown
http://www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp	true	Avira URL Cloud: safe	unknown
http://www.makgxoimisitzer.info/sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.357823561.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	purchase order.exe, 00000000.00000002.355213949.0000000002CD1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000003.00000000.379162690.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
154.3.112.106	unknown	United States	54133	UNMETEREDCA	true
192.252.210.84	unknown	United States	46562	TOTAL-SERVER-SOLUTIONSUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323034
Start date:	26.11.2020
Start time:	08:33:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 50s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	purchase order.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@6/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.9% (good quality ratio 9.6%) Quality average: 70.1% Quality standard deviation: 32.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 104.43.193.48, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.103.5.159, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.247, 92.122.213.194, 23.210.248.85, 51.104.144.132 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:34:57	API Interceptor	1x Sleep call for process: purchase order.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
34.102.136.180	inv.exe	Get hash	malicious	Browse	www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4
	anthon.exe	Get hash	malicious	Browse	www.stlmache.com/94sb/?D8c=zlihirZ0hdZXaD&8pdPSNhX=oHhCnRhAqLFON9zTJDssyW7Qcc6qw5o0Z4654po5P9rAmpqiU8ijSaSHb7UixrcmwTy4
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	www.messianicentertainment.com/mkv/
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	www.youarecoveredamerica.com/cxs/?wR=30eviFukjpDMKdZAPLSN5kaysTzlcADcsOyOixR0/60FoTO0nFa3+4ZYvhmf8uIzSvTf&V4=inHXwbhx
	PO EME39134.xlsx	Get hash	malicious	Browse	www.pethgroup.com/mfg6/?NL08b=wzYKSVBwuJMkKFzZssaTzgW2Vk9zJFgyObnh9ous05GVmO8iDcl865kQdMMIGiQlXQz3Bg==&Ab=JpApTx
	PRODUCT INQUIRY BNQ1.xlsx	Get hash	malicious	Browse	www.d2cbox.com/coz3/?RFN4=Db4oM/0ZSLcS2WrsSk0EAPitYAH7G5kPXSBsu1Ti9XYpj/EUmwYzXG6I+6XEGkDvXHlCmg==&RB=NL00JzKhBv9HkNRp
	Document Required.xlsx	Get hash	malicious	Browse	www.vegbydesign.net/et2d/?LDHDp=V0L4Gg8XEG33noZ7KcimyECCbO7JKaiXnbIiZHmOm/4B4fbkqB2G6gSUl7eOq1VGLYG7cQ==&1bY8l=ktg8tf6PjX7
	Payment - Swift Copy.exe	Get hash	malicious	Browse	www.meetyourwish.com/mnc/?Mdkdxdax=WY4KUSY8ftRWBzX7AqE30jxuDiwNulyYTSspkj6O426HLT41/FrvTZzWmkvAdUuy3I6l&ZVj0=YN6tXn0HZ8X
	Shipment Document BLINV And Packing List Attached.exe	Get hash	malicious	Browse	www.kanmra.com/bg8v/?DXIXO=bN+sZwdqksHEVUXNrgv1qWKxxuRS+qOVBUFqNGSJvK31ERFsrbT8+Ywa/qntJ641tecm&Jt7=XPv4nH2h
	SR7UzD8vSg.exe	Get hash	malicious	Browse	www.seatoskyphotos.com/g65/?7nwhJ4l=TXJeSLolb01vansOrhIgOMhNYUnQdj/rfF4amJcBrUYE+yYYkSMe6xNPoYCNXAECPfCM&PpJ=2dGHUZtH1RcT9x
	fSBya4AvVj.exe	Get hash	malicious	Browse	www.crdtchef.com/coz3/?uVg8S=yVCTVPM0BpPlbRn&Cb=6KJmJcklo30WnY6vewxcXLig2KFmxMKN3/pat9BWRdDInxGr1qf1MmoT0+9/86rmVbJja+uPDg==
	7OKYiP6gHy.exe	Get hash	malicious	Browse	www.space-ghost.com/mz59/?DxlpdH=bx7WlvEZr3O5XBwInsT/p4C3h10gePk/QJkiFTbVYZMx/qNyufU701Fr8sAaS9DQf7SJ&k2Jxtb=fDHHbT_hY
	ptFIhqUe89.exe	Get hash	malicious	Browse	www.pethgroup.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSepgeCyUWcTuH
	G1K3UzwJBx.exe	Get hash	malicious	Browse	www.softdevteams.com/wsu/?JfBpEB4H=UDFlvLrb363Z/K3+q9OjWueixmKoOm8xQw3Yd3ofqrJMoI6bXqsuqW1H0uReyIz+CvJE&odqddr=RzuhPD
	ARRIVAL NOTICE.xlsx	Get hash	malicious	Browse	www.befitptstudio.com/ogg/?oN9xX=4mwbOnk+WEse1PEPUI+9OE7CuRKrYpR8Uy9t/eBM2SPWQ9N1Pm1uQBQ852Ah+FLlD8dO/Q==&r8=-ZoxsbmheH5H_0_
	Confectionary and choco.xlsx	Get hash	malicious	Browse	www.thesiromiel.com/kgw/?qDH4D=f8c0xBrPYPKd&ML30a=2i2TlC6nSGv7nfRnhje0HOiHksQfPDJcIBIB+Miyp4ApD+T5OEbWO8tIEn4OYJPJCmlhDQ==
	C03N224Hbu.exe	Get hash	malicious	Browse	www.pethgroup.com/mfg6/?Dz=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSeqAONTEuC2HA&lnuh=TxllfFx
	EME.39134.xlsx	Get hash	malicious	Browse	www.hrreverie.com/mfg6/?yzux_nSp=j2HGGFUSYNztypOYAYoDf2aqNzVZr1eTDPiKbLutMj6KkAEvkO3e6W3a8VBJiEhjVXb3Fg==&rF=_HCtZ4
	new quotation order.exe	Get hash	malicious	Browse	www.themillticket.com/mkr/
	Tracking No_SINI0068206497.exe	Get hash	malicious	Browse	www.beastbodiwear.com/rte/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	inv.exe	Get hash	malicious	Browse	34.102.136.180
	http://email.balluun.com/ls/click?upn=0tHwWGqJA7fIfwq261XQPoa-2Bm5KwDIa4k7cEZI4W-2FdMZ1Q80M51jA5s51EdYNFwUO080OaXBwsUkIwQ6bL8cCo1cNcDJzlw2uVCKEfhUzZ7Fudhp6bkdbJB13EqLH9-2B4kEnaIsd7WRusADisZIU-2FqT0gWvSPQ-2BUMBeGniMV23Qog3fOaT300-2Fv2T0mA5uuaLf6MwKyAEEDv4vRU3MHAWtQ-3D-3DaUdf_BEBGVEU6IBswk46BP-2FJGpTLX-2FIf4Ner2WBFJyc5PmXI5kSwVWq-2FIninIJmDnNhUsSuO8YJPXc32diFLFly8-2FlazGQr8nbzBIO-2BSvdfUqJySNySwNZh5-2F7tiFSU4CooXZWp-2FjpdCX-2Fz89pGPVGN3nhMItFmIBBYMcjwlGWZ8vS3fpyiPHr-2BxekPNfR4Lq-2Baznil07vpcMoEZofdPQTnqnmg-3D-3D	Get hash	malicious	Browse	172.217.168.84
	2020112395387_pdf.exe	Get hash	malicious	Browse	35.246.6.109
	anthon.exe	Get hash	malicious	Browse	34.102.136.180
	http://searchlf.com	Get hash	malicious	Browse	74.125.128.154
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	34.102.136.180
	https://www.canva.com/design/DAEOhhihuRE/ilbmdiYYv4SZabsnRUeaIQ/view?utm_content=DAEOhhihuRE&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	74.125.128.157
	https://www.canva.com/design/DAEOiuhLwDM/BOj9WYGqioxJf6uGii9b8Q/view?utm_content=DAEOiuhLwDM&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	172.217.168.34
	https://docs.google.com/document/d/e/2PACX-1vTkklFHE_qZt5bggVyzSlPIJpfBM78UhR9h5giojoPSOo0J_kMb27pVCxF_eQESVaFWkRLwKQoIVpE-/pub	Get hash	malicious	Browse	74.125.128.155
	https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewform	Get hash	malicious	Browse	216.58.215.225
	https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewform	Get hash	malicious	Browse	172.217.168.34
	https://Index.potentialissue.xyz/?e=fake@fake.com	Get hash	malicious	Browse	74.125.128.155
	https://omgzone.co.uk/	Get hash	malicious	Browse	35.190.25.25
	http://yjjv.midlidl.com/index	Get hash	malicious	Browse	172.217.168.1
	https://doc.clickup.com/p/h/84zph-7/c3996c24fc61b45	Get hash	malicious	Browse	35.244.142.80
	ATT59829.htm	Get hash	malicious	Browse	216.58.215.225
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	34.102.136.180
	http://email.balluun.com/ls/click?upn=KzNQqcw6vAwizrX-2Fig1Ls6Y5D9N6j9I5FZfBCN8B2wRxBmpXcbUQvKOFUzJGiw-2F3Qy64T8VZ2LXT8NNNJG9bemh7vjcLDgF5-2FXPBBBqdJ0-2BpvIlXlKrZECAirL9YySN2b1LT-2Bcy1l-2F0fp1Pwvv3I4j7XHHKagv-2FxlVdd85P38ZuA-2Bvv5JF3QaAOx19sqG0-2BnULpm_J-2BsRItFMcwpTA18DVdBlGBJyUhFuIaAEybVNgKjH795y-2Bjn2esAEGPPa76dl-2BxD62wo4xT0BtNrFdVu0eWgx-2F6eRqupI7yZWQAa-2FBr1dlsLgX0hlcDSdDmAHsaZaG3WUUyADLR7thqFcU32Djt0AEfQ9qS0428-2BH1u-2Fk1E3KVFo9IePxc9mOWOHzwBkFv-2FOdeNUShdwqtjGBw2zuSNSTyLDRcypBOMpUtPdiR8ihMQ0-3D	Get hash	malicious	Browse	216.58.215.225
	https://epl.paypal-communication.com/H/2/v600000175fc9567aec3e4496e965fc958/d07dcaec-c38a-4069-96dc-06e53581f535/HTML	Get hash	malicious	Browse	172.217.168.35
TOTAL-SERVER-SOLUTIONSUS	http://cartmartservice.com/wp-content/themes/twentysixteen/genericons/make/Interac/index.html	Get hash	malicious	Browse	173.45.167.155
	28242450606.exe	Get hash	malicious	Browse	172.111.176.42
	https://drive-office-3-6-5.appspot.com/	Get hash	malicious	Browse	46.243.239.94
	https://share-point-office-3-6-5.firebaseapp.com/	Get hash	malicious	Browse	46.243.239.94
	HhfoEVec0W.exe	Get hash	malicious	Browse	192.252.210.84
	AfpGrB34LM.exe	Get hash	malicious	Browse	192.252.210.84
	Copied.234043937.doc	Get hash	malicious	Browse	66.115.173.226
	Copied.234043937.doc	Get hash	malicious	Browse	66.115.173.226
	Note#939289826.doc	Get hash	malicious	Browse	66.115.173.226
	qIbkxLcLXh.exe	Get hash	malicious	Browse	66.115.176.25
	snoozer.exe	Get hash	malicious	Browse	98.142.221.42
	http://www.afcogecopeer1.com.centexregisteredagent.com/?tty=(shenif.visram@cogecopeer1.com)	Get hash	malicious	Browse	198.8.83.186
	http://www.yumpu.com/en/document/read/64496860/new-fax-received-1	Get hash	malicious	Browse	199.58.186.42
	https://joom.ag/uZDC	Get hash	malicious	Browse	192.111.140.242
	http://www.yumpu.com/en/document/read/64496860/new-fax-received-1	Get hash	malicious	Browse	199.58.186.42
	https://worldgovt.org/	Get hash	malicious	Browse	98.142.221.133
	https://worldgovt.org/sui/bGVubmVrZS56YW5kbWFuQHJhYm9iYW5rLm5s	Get hash	malicious	Browse	98.142.221.133
	https://bestdevelopers.in/sui/ZmxvcmlzLmtldGVsQHJhYm9iYW5rLm5s	Get hash	malicious	Browse	98.142.221.58
	https://special-mammoth.10web.me/	Get hash	malicious	Browse	199.58.186.42
	https://salesmarvel.co.uk/qui/cm9zcy53b29kaGFtQGFwdHVtLmNvbQ==%E2%80%9D	Get hash	malicious	Browse	98.142.221.58
UNMETEREDCA	kHIpJr2DUQ.exe	Get hash	malicious	Browse	38.88.126.202
	Da9Ph8u58q.exe	Get hash	malicious	Browse	38.88.126.202
	y437JQkXLz.exe	Get hash	malicious	Browse	38.88.126.202
	53jMnvjyfR.exe	Get hash	malicious	Browse	38.88.126.202
	p1DxvA1pIG.exe	Get hash	malicious	Browse	38.88.126.202
	Untitled 967323.doc	Get hash	malicious	Browse	38.88.126.202
	http://tv.xiaoxiekeji.top/addons/INC/J4rTnXvpXa/	Get hash	malicious	Browse	38.88.126.202
	Copy invoice #150327.doc	Get hash	malicious	Browse	38.88.126.202
	index.html.exe	Get hash	malicious	Browse	38.88.126.202

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purchase order.exe.log Download File
Process:	C:\Users\user\Desktop\purchase order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	5.341099307467139
Encrypted:	false
SSDEEP:	24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHg
MD5:	BA56316A0540A6E8A0773ABCC4C34831
SHA1:	4684785CBF231C1F6F3A9FE948419F71B17219FB
SHA-256:	5B713DB1DFB5B7CE60DD4CD7B98F092C362370D857EE944248F9FDC4E5C9C496
SHA-512:	B0FE5F565DFEF658A108F5BFA43F477EC2FF6583E7C9B8BB34A1B9710A840EA713BE9C38DF90C540D64B64F28CD6D22E812518875858B0049FA5379B67DB9577
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.22732835315573
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	purchase order.exe
File size:	908288
MD5:	975187a07455d3cbf38ec878d893b490
SHA1:	af8ddbf775cdb9dbd3776f717c192094202127be
SHA256:	009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b
SHA512:	378768e3aa1a49e6dce7a83197c1eceb86111422a6886fbe9e3ba7df75ce2bdb0f0979620a8eb905153caf276b43a23dd19885ff487586b3069a515cceb15222
SSDEEP:	12288:3WXLGRqJGxSYzVK435Ve6H2IZyqr6jNhjjYk65zPvELO07CuevjcA57x4vqqpPT4:3yLG80zVK435Ve+ZZyn3jjc5LvELx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|2._..............P.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4dee8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FBF327C [Thu Nov 26 04:43:40 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdee34	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe0000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdce94	0xdd000	False	0.670616736779	data	7.23319521913	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xe0000	0x610	0x800	False	0.33203125	data	3.44771191569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe00a0	0x380	data
RT_MANIFEST	0xe0420	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Hewlett-Packard 2017
Assembly Version	1.0.0.0
InternalName	L6HC.exe
FileVersion	1.0.0.0
CompanyName	Hewlett-Packard
LegalTrademarks
Comments
ProductName	Arizona Lottery Numbers
ProductVersion	1.0.0.0
FileDescription	Arizona Lottery Numbers
OriginalFilename	L6HC.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/26/20-08:35:59.647235	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49750	34.102.136.180	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 08:35:59.515651941 CET	49750	80	192.168.2.6	34.102.136.180
Nov 26, 2020 08:35:59.532067060 CET	80	49750	34.102.136.180	192.168.2.6
Nov 26, 2020 08:35:59.532291889 CET	49750	80	192.168.2.6	34.102.136.180
Nov 26, 2020 08:35:59.532458067 CET	49750	80	192.168.2.6	34.102.136.180
Nov 26, 2020 08:35:59.548866034 CET	80	49750	34.102.136.180	192.168.2.6
Nov 26, 2020 08:35:59.647234917 CET	80	49750	34.102.136.180	192.168.2.6
Nov 26, 2020 08:35:59.647254944 CET	80	49750	34.102.136.180	192.168.2.6
Nov 26, 2020 08:35:59.647403002 CET	49750	80	192.168.2.6	34.102.136.180
Nov 26, 2020 08:35:59.647483110 CET	49750	80	192.168.2.6	34.102.136.180
Nov 26, 2020 08:35:59.663825989 CET	80	49750	34.102.136.180	192.168.2.6
Nov 26, 2020 08:36:19.929287910 CET	49754	80	192.168.2.6	192.252.210.84
Nov 26, 2020 08:36:20.048827887 CET	80	49754	192.252.210.84	192.168.2.6
Nov 26, 2020 08:36:20.049011946 CET	49754	80	192.168.2.6	192.252.210.84
Nov 26, 2020 08:36:20.049163103 CET	49754	80	192.168.2.6	192.252.210.84
Nov 26, 2020 08:36:20.175694942 CET	80	49754	192.252.210.84	192.168.2.6
Nov 26, 2020 08:36:20.176032066 CET	80	49754	192.252.210.84	192.168.2.6
Nov 26, 2020 08:36:20.176084995 CET	80	49754	192.252.210.84	192.168.2.6
Nov 26, 2020 08:36:20.176456928 CET	49754	80	192.168.2.6	192.252.210.84
Nov 26, 2020 08:36:20.176614046 CET	49754	80	192.168.2.6	192.252.210.84
Nov 26, 2020 08:36:20.295711994 CET	80	49754	192.252.210.84	192.168.2.6
Nov 26, 2020 08:36:42.729172945 CET	49759	80	192.168.2.6	154.3.112.106
Nov 26, 2020 08:36:42.934798956 CET	80	49759	154.3.112.106	192.168.2.6
Nov 26, 2020 08:36:42.934915066 CET	49759	80	192.168.2.6	154.3.112.106
Nov 26, 2020 08:36:42.935230017 CET	49759	80	192.168.2.6	154.3.112.106
Nov 26, 2020 08:36:43.141685009 CET	80	49759	154.3.112.106	192.168.2.6
Nov 26, 2020 08:36:43.141709089 CET	80	49759	154.3.112.106	192.168.2.6
Nov 26, 2020 08:36:43.141876936 CET	49759	80	192.168.2.6	154.3.112.106
Nov 26, 2020 08:36:43.141932011 CET	49759	80	192.168.2.6	154.3.112.106
Nov 26, 2020 08:36:43.347218037 CET	80	49759	154.3.112.106	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2020 08:34:44.626146078 CET	51774	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:34:44.653296947 CET	53	51774	8.8.8.8	192.168.2.6
Nov 26, 2020 08:34:45.335278988 CET	56023	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:34:45.362344980 CET	53	56023	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:01.675477028 CET	58384	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:01.702729940 CET	53	58384	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:09.069878101 CET	60261	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:09.105495930 CET	53	60261	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:09.939351082 CET	56061	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:09.974968910 CET	53	56061	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:11.069233894 CET	58336	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:11.096440077 CET	53	58336	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:12.292821884 CET	53781	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:12.328258038 CET	53	53781	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:12.982487917 CET	54064	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:13.009586096 CET	53	54064	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:13.650024891 CET	52811	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:13.676914930 CET	53	52811	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:14.299649954 CET	55299	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:14.334978104 CET	53	55299	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:15.348972082 CET	63745	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:15.376084089 CET	53	63745	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:15.405502081 CET	50055	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:15.432632923 CET	53	50055	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:29.399007082 CET	61374	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:29.426244020 CET	53	61374	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:34.050090075 CET	50339	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:34.086786985 CET	53	50339	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:34.133965015 CET	63307	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:34.171108007 CET	53	63307	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:38.677284956 CET	49694	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:38.728715897 CET	53	49694	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:39.989021063 CET	54982	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:40.016082048 CET	53	54982	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:41.347407103 CET	50010	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:41.382834911 CET	53	50010	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:42.413922071 CET	63718	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:42.449481010 CET	53	63718	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:43.146209955 CET	62116	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:43.181716919 CET	53	62116	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:43.229849100 CET	63816	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:43.265134096 CET	53	63816	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:44.003971100 CET	55014	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:44.031021118 CET	53	55014	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:44.355125904 CET	62208	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:44.390340090 CET	53	62208	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:44.480305910 CET	57574	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:44.507337093 CET	53	57574	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:44.810081005 CET	51818	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:44.845542908 CET	53	51818	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:45.539169073 CET	56628	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:45.566215992 CET	53	56628	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:46.001442909 CET	60778	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:46.036811113 CET	53	60778	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:47.784264088 CET	53799	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:47.811352968 CET	53	53799	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:48.411068916 CET	54683	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:48.448807001 CET	53	54683	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:48.865490913 CET	59329	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:48.901052952 CET	53	59329	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:49.064623117 CET	64021	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:49.091680050 CET	53	64021	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:51.457932949 CET	56129	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:51.503340960 CET	53	56129	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:53.236346006 CET	58177	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:53.275296926 CET	53	58177	8.8.8.8	192.168.2.6
Nov 26, 2020 08:35:59.462236881 CET	50700	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:35:59.508137941 CET	53	50700	8.8.8.8	192.168.2.6
Nov 26, 2020 08:36:18.349651098 CET	54069	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:36:18.386487961 CET	53	54069	8.8.8.8	192.168.2.6
Nov 26, 2020 08:36:19.859580994 CET	61178	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:36:19.926716089 CET	53	61178	8.8.8.8	192.168.2.6
Nov 26, 2020 08:36:23.179485083 CET	57017	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:36:23.206470013 CET	53	57017	8.8.8.8	192.168.2.6
Nov 26, 2020 08:36:24.202011108 CET	56327	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:36:24.254543066 CET	53	56327	8.8.8.8	192.168.2.6
Nov 26, 2020 08:36:26.727475882 CET	50243	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:36:26.763277054 CET	53	50243	8.8.8.8	192.168.2.6
Nov 26, 2020 08:36:42.501482010 CET	62055	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:36:42.727859020 CET	53	62055	8.8.8.8	192.168.2.6
Nov 26, 2020 08:37:03.285170078 CET	61249	53	192.168.2.6	8.8.8.8
Nov 26, 2020 08:37:03.326234102 CET	53	61249	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 26, 2020 08:35:51.457932949 CET	192.168.2.6	8.8.8.8	0x76aa	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Nov 26, 2020 08:35:59.462236881 CET	192.168.2.6	8.8.8.8	0x23ef	Standard query (0)	www.rettexo.com	A (IP address)	IN (0x0001)
Nov 26, 2020 08:36:19.859580994 CET	192.168.2.6	8.8.8.8	0x6c33	Standard query (0)	www.makgxoimisitzer.info	A (IP address)	IN (0x0001)
Nov 26, 2020 08:36:26.727475882 CET	192.168.2.6	8.8.8.8	0x13d5	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Nov 26, 2020 08:36:42.501482010 CET	192.168.2.6	8.8.8.8	0x5c12	Standard query (0)	www.purehempbotanicalsinfo.com	A (IP address)	IN (0x0001)
Nov 26, 2020 08:37:03.285170078 CET	192.168.2.6	8.8.8.8	0xe22c	Standard query (0)	www.keystonefulfillment.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 26, 2020 08:35:51.503340960 CET	8.8.8.8	192.168.2.6	0x76aa	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 08:35:59.508137941 CET	8.8.8.8	192.168.2.6	0x23ef	No error (0)	www.rettexo.com	rettexo.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 08:35:59.508137941 CET	8.8.8.8	192.168.2.6	0x23ef	No error (0)	rettexo.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 26, 2020 08:36:19.926716089 CET	8.8.8.8	192.168.2.6	0x6c33	No error (0)	www.makgxoimisitzer.info	makgxoimisitzer.info		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 08:36:19.926716089 CET	8.8.8.8	192.168.2.6	0x6c33	No error (0)	makgxoimisitzer.info		192.252.210.84	A (IP address)	IN (0x0001)
Nov 26, 2020 08:36:26.763277054 CET	8.8.8.8	192.168.2.6	0x13d5	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 08:36:42.727859020 CET	8.8.8.8	192.168.2.6	0x5c12	No error (0)	www.purehempbotanicalsinfo.com	purehempbotanicalsinfo.com		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2020 08:36:42.727859020 CET	8.8.8.8	192.168.2.6	0x5c12	No error (0)	purehempbotanicalsinfo.com		154.3.112.106	A (IP address)	IN (0x0001)
Nov 26, 2020 08:36:42.727859020 CET	8.8.8.8	192.168.2.6	0x5c12	No error (0)	purehempbotanicalsinfo.com		154.3.112.107	A (IP address)	IN (0x0001)
Nov 26, 2020 08:37:03.326234102 CET	8.8.8.8	192.168.2.6	0xe22c	No error (0)	www.keystonefulfillment.com		52.58.78.16	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.rettexo.com

www.makgxoimisitzer.info

www.purehempbotanicalsinfo.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49750	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 08:35:59.532458067 CET	4462	OUT	GET /sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp HTTP/1.1 Host: www.rettexo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 08:35:59.647234917 CET	4463	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 26 Nov 2020 07:35:59 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c9ca-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49754	192.252.210.84	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 08:36:20.049163103 CET	4473	OUT	GET /sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp HTTP/1.1 Host: www.makgxoimisitzer.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 08:36:20.176032066 CET	4474	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Type: text/html Content-Length: 706 Date: Thu, 26 Nov 2020 07:36:20 GMT Server: LiteSpeed Location: https://www.makgxoimisitzer.info/sbmh/?0PJtBJ=XEJriTYCOuK+SyY/9HWJgPQ+bcG3K3zE43eWtlfOSAWdxw4RjD6D9w7NiRikfKNtMf925IUbyw==&jDHXG=aFNTklSp Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49759	154.3.112.106	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 26, 2020 08:36:42.935230017 CET	4532	OUT	GET /sbmh/?0PJtBJ=h/URaQ6chuqxS5rd6TDMT0L901DFCS1Z5y5lZa0zhzexAXZp9SqL0GSPheeJSC1M62VUMIayeg==&jDHXG=aFNTklSp HTTP/1.1 Host: www.purehempbotanicalsinfo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 26, 2020 08:36:43.141685009 CET	4533	IN	HTTP/1.1 200 OK Date: Thu, 26 Nov 2020 15:36:43 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Status: 304 Content-Length: 0 Content-Type: text/html; charset=UTF-8

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xEE

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: purchase order.exe PID: 3900 Parent PID: 5904

General

Start time:	08:34:50
Start date:	26/11/2020
Path:	C:\Users\user\Desktop\purchase order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\purchase order.exe'
Imagebase:	0x8d0000
File size:	908288 bytes
MD5 hash:	975187A07455D3CBF38EC878D893B490
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.355472784.0000000002EA7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.356215152.0000000003D27000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: purchase order.exe PID: 4672 Parent PID: 3900

General

Start time:	08:34:59
Start date:	26/11/2020
Path:	C:\Users\user\Desktop\purchase order.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\purchase order.exe
Imagebase:	0xbf0000
File size:	908288 bytes
MD5 hash:	975187A07455D3CBF38EC878D893B490
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.393244469.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.394597129.00000000014A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.394487409.0000000001470000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3440 Parent PID: 4672

General

Start time:	08:35:01
Start date:	26/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msdt.exe PID: 6468 Parent PID: 3440

General

Start time:	08:35:15
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msdt.exe
Imagebase:	0xf60000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.598821666.0000000000620000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.599779534.0000000000E10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.599557812.0000000000950000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 6508 Parent PID: 6468

General

Start time:	08:35:19
Start date:	26/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\purchase order.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6476 Parent PID: 6508

General

Start time:	08:35:19
Start date:	26/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report purchase order.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations