Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order.exe

Overview

General Information

Sample Name:Purchase Order.exe
Analysis ID:452476
MD5:c13f1850e9d955f826620bd1ae322368
SHA1:1329de0499fabc6fcffd4fa02864968acaac253e
SHA256:419d8b92dc042882bb3261de70dfe4a158bc9ca436c71f9bf330bb8a6917d04c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase Order.exe (PID: 1376 cmdline: 'C:\Users\user\Desktop\Purchase Order.exe' MD5: C13F1850E9D955F826620BD1AE322368)
    • Purchase Order.exe (PID: 1784 cmdline: {path} MD5: C13F1850E9D955F826620BD1AE322368)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 5288 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 244 cmdline: /c del 'C:\Users\user\Desktop\Purchase Order.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.valiantfinancial.net/hth0/"], "decoy": ["grahamandjana.com", "surfpodcastnetwork.com", "valkyrie20.com", "hire4looks.com", "wewalkfastasone.com", "saveourschoolyear.com", "5g23e.com", "abusinesssystems.com", "telefonepantalla.com", "tailorscafe.com", "schwarzer-markt.net", "stopwatch247.com", "458grandbetting.com", "xpovision.com", "kutkingbarbering.life", "kppp-guxxz.xyz", "chuckwagon-chow.com", "la-casa-delle-vita.com", "creativesocials.com", "negociacoeshojebr.com", "conservativestyle.life", "825tache.com", "birthmothersmaine.com", "jwrl.net", "gardiantparts.com", "contodosyparaelbiendetodos.com", "actymall.com", "oxyde.net", "adagiomusicacademy.com", "newjerseyscubadiving.net", "87oaks.com", "overt.website", "home-made-gifts.com", "viralgoats.com", "camediahub.com", "bankruptcyprobabilities.com", "yourlifematterswellness.email", "earnestjourneycourses.com", "landonpaints.com", "aesegroup.com", "omegle99.com", "sparklinmomma.com", "cofcwzrf.com", "jam-nins.com", "mazacz.com", "copdrule.info", "cahayaqq.life", "helps-paxful.com", "gerado.online", "patanamedia.com", "fromfeartotrust.com", "deux-studios.com", "wallinders.com", "nilton-g.com", "yijiamobile.com", "ocheap3dbuy.com", "flima2020a.site", "battlefieldtitle.site", "ferrebaviera.com", "plushmint.com", "achievementfound.com", "dontbringcovidhome.com", "cultigique.com", "waveplumb.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.2.Purchase Order.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        16.2.Purchase Order.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        16.2.Purchase Order.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        16.2.Purchase Order.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          16.2.Purchase Order.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.valiantfinancial.net/hth0/"], "decoy": ["grahamandjana.com", "surfpodcastnetwork.com", "valkyrie20.com", "hire4looks.com", "wewalkfastasone.com", "saveourschoolyear.com", "5g23e.com", "abusinesssystems.com", "telefonepantalla.com", "tailorscafe.com", "schwarzer-markt.net", "stopwatch247.com", "458grandbetting.com", "xpovision.com", "kutkingbarbering.life", "kppp-guxxz.xyz", "chuckwagon-chow.com", "la-casa-delle-vita.com", "creativesocials.com", "negociacoeshojebr.com", "conservativestyle.life", "825tache.com", "birthmothersmaine.com", "jwrl.net", "gardiantparts.com", "contodosyparaelbiendetodos.com", "actymall.com", "oxyde.net", "adagiomusicacademy.com", "newjerseyscubadiving.net", "87oaks.com", "overt.website", "home-made-gifts.com", "viralgoats.com", "camediahub.com", "bankruptcyprobabilities.com", "yourlifematterswellness.email", "earnestjourneycourses.com", "landonpaints.com", "aesegroup.com", "omegle99.com", "sparklinmomma.com", "cofcwzrf.com", "jam-nins.com", "mazacz.com", "copdrule.info", "cahayaqq.life", "helps-paxful.com", "gerado.online", "patanamedia.com", "fromfeartotrust.com", "deux-studios.com", "wallinders.com", "nilton-g.com", "yijiamobile.com", "ocheap3dbuy.com", "flima2020a.site", "battlefieldtitle.site", "ferrebaviera.com", "plushmint.com", "achievementfound.com", "dontbringcovidhome.com", "cultigique.com", "waveplumb.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order.exeReversingLabs: Detection: 13%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Purchase Order.exeJoe Sandbox ML: detected
          Source: 16.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000011.00000000.333473408.0000000009B40000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase Order.exe, 00000010.00000002.363433472.000000000194F000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase Order.exe, cscript.exe
          Source: Binary string: cscript.pdb source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000011.00000000.333473408.0000000009B40000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then pop edi16_2_0040E44E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then pop edi16_2_00417D7C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi19_2_00D5E44E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi19_2_00D67D7C

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.valiantfinancial.net/hth0/
          Source: unknownDNS traffic detected: query: www.deux-studios.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.abusinesssystems.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: queries for: www.deux-studios.com
          Source: explorer.exe, 00000011.00000000.337336723.000000000F5C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Purchase Order.exe, 00000000.00000003.230153130.00000000056A8000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.226282943.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcr
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: Purchase Order.exe, 00000000.00000003.223685242.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comof
          Source: Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtGi
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
          Source: Purchase Order.exe, 00000000.00000003.226282943.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFuo
          Source: explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Purchase Order.exe, 00000000.00000002.314683016.0000000005690000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd-o
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdsed
          Source: Purchase Order.exe, 00000000.00000003.230396940.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
          Source: Purchase Order.exe, 00000000.00000002.314683016.0000000005690000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivao
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cngib
          Source: Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnmpa-u
          Source: Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoup
          Source: Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoupyt
          Source: Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnrosCu
          Source: Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
          Source: Purchase Order.exe, 00000000.00000003.227884543.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Purchase Order.exe, 00000000.00000003.227809153.00000000056A0000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//2o
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;o
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Co
          Source: Purchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ko
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Purchase Order.exe, 00000000.00000003.225076126.00000000056A3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/uo
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
          Source: Purchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
          Source: Purchase Order.exe, 00000000.00000003.224849274.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lt
          Source: Purchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
          Source: Purchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ue
          Source: Purchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uo
          Source: Purchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/zo
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Purchase Order.exe, 00000000.00000003.223470937.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order.exe
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041A060 NtClose,16_2_0041A060
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041A110 NtAllocateVirtualMemory,16_2_0041A110
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00419F30 NtCreateFile,16_2_00419F30
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00419FE0 NtReadFile,16_2_00419FE0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041A05A NtClose,16_2_0041A05A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041A10C NtAllocateVirtualMemory,16_2_0041A10C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00419FDA NtReadFile,16_2_00419FDA
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018999A0 NtCreateSection,LdrInitializeThunk,16_2_018999A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018995D0 NtClose,LdrInitializeThunk,16_2_018995D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_01899910
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899540 NtReadFile,LdrInitializeThunk,16_2_01899540
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018998F0 NtReadVirtualMemory,LdrInitializeThunk,16_2_018998F0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899840 NtDelayExecution,LdrInitializeThunk,16_2_01899840
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899860 NtQuerySystemInformation,LdrInitializeThunk,16_2_01899860
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899780 NtMapViewOfSection,LdrInitializeThunk,16_2_01899780
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018997A0 NtUnmapViewOfSection,LdrInitializeThunk,16_2_018997A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899710 NtQueryInformationToken,LdrInitializeThunk,16_2_01899710
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018996E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_018996E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A00 NtProtectVirtualMemory,LdrInitializeThunk,16_2_01899A00
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A20 NtResumeThread,LdrInitializeThunk,16_2_01899A20
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A50 NtCreateFile,LdrInitializeThunk,16_2_01899A50
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_01899660
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018999D0 NtCreateProcessEx,16_2_018999D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018995F0 NtQueryInformationFile,16_2_018995F0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899520 NtWaitForSingleObject,16_2_01899520
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189AD30 NtSetContextThread,16_2_0189AD30
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899950 NtQueueApcThread,16_2_01899950
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899560 NtWriteFile,16_2_01899560
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018998A0 NtWriteVirtualMemory,16_2_018998A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899820 NtEnumerateKey,16_2_01899820
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189B040 NtSuspendThread,16_2_0189B040
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189A3B0 NtGetContextThread,16_2_0189A3B0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899FE0 NtCreateMutant,16_2_01899FE0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899B00 NtSetValueKey,16_2_01899B00
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189A710 NtOpenProcessToken,16_2_0189A710
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899730 NtQueryVirtualMemory,16_2_01899730
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899760 NtOpenProcess,16_2_01899760
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899770 NtSetInformationFile,16_2_01899770
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189A770 NtOpenThread,16_2_0189A770
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A80 NtOpenDirectoryObject,16_2_01899A80
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018996D0 NtCreateKey,16_2_018996D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899610 NtEnumerateValueKey,16_2_01899610
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A10 NtQuerySection,16_2_01899A10
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899650 NtQueryValueKey,16_2_01899650
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899670 NtQueryInformationProcess,16_2_01899670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59860 NtQuerySystemInformation,LdrInitializeThunk,19_2_04F59860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59840 NtDelayExecution,LdrInitializeThunk,19_2_04F59840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F595D0 NtClose,LdrInitializeThunk,19_2_04F595D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F599A0 NtCreateSection,LdrInitializeThunk,19_2_04F599A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59540 NtReadFile,LdrInitializeThunk,19_2_04F59540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_04F59910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F596E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_04F596E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F596D0 NtCreateKey,LdrInitializeThunk,19_2_04F596D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04F59660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59650 NtQueryValueKey,LdrInitializeThunk,19_2_04F59650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A50 NtCreateFile,LdrInitializeThunk,19_2_04F59A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59FE0 NtCreateMutant,LdrInitializeThunk,19_2_04F59FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59780 NtMapViewOfSection,LdrInitializeThunk,19_2_04F59780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59710 NtQueryInformationToken,LdrInitializeThunk,19_2_04F59710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F598F0 NtReadVirtualMemory,19_2_04F598F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F598A0 NtWriteVirtualMemory,19_2_04F598A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5B040 NtSuspendThread,19_2_04F5B040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59820 NtEnumerateKey,19_2_04F59820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F595F0 NtQueryInformationFile,19_2_04F595F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F599D0 NtCreateProcessEx,19_2_04F599D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59560 NtWriteFile,19_2_04F59560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59950 NtQueueApcThread,19_2_04F59950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5AD30 NtSetContextThread,19_2_04F5AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59520 NtWaitForSingleObject,19_2_04F59520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A80 NtOpenDirectoryObject,19_2_04F59A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59670 NtQueryInformationProcess,19_2_04F59670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A20 NtResumeThread,19_2_04F59A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59610 NtEnumerateValueKey,19_2_04F59610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A10 NtQuerySection,19_2_04F59A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A00 NtProtectVirtualMemory,19_2_04F59A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5A3B0 NtGetContextThread,19_2_04F5A3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F597A0 NtUnmapViewOfSection,19_2_04F597A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59770 NtSetInformationFile,19_2_04F59770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5A770 NtOpenThread,19_2_04F5A770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59760 NtOpenProcess,19_2_04F59760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59730 NtQueryVirtualMemory,19_2_04F59730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5A710 NtOpenProcessToken,19_2_04F5A710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59B00 NtSetValueKey,19_2_04F59B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6A060 NtClose,19_2_00D6A060
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6A110 NtAllocateVirtualMemory,19_2_00D6A110
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D69FE0 NtReadFile,19_2_00D69FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D69F30 NtCreateFile,19_2_00D69F30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6A05A NtClose,19_2_00D6A05A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6A10C NtAllocateVirtualMemory,19_2_00D6A10C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D69FDA NtReadFile,19_2_00D69FDA
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051A1EB40_2_051A1EB4
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051409D80_2_051409D8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0040103016_2_00401030
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041E90316_2_0041E903
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041E1D516_2_0041E1D5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D9E416_2_0041D9E4
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D44116_2_0041D441
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D56316_2_0041D563
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00402D8716_2_00402D87
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00402D9016_2_00402D90
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00409E4016_2_00409E40
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00409E3B16_2_00409E3B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00402FB016_2_00402FB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188258116_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019225DD16_2_019225DD
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186D5E016_2_0186D5E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185F90016_2_0185F900
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01922D0716_2_01922D07
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01850D2016_2_01850D20
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187412016_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01921D5516_2_01921D55
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B09016_2_0186B090
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A016_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019220A816_2_019220A8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019228EC16_2_019228EC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191100216_2_01911002
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186841F16_2_0186841F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191D46616_2_0191D466
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188EBB016_2_0188EBB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191DBD216_2_0191DBD2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01921FF116_2_01921FF1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01922B2816_2_01922B28
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019222AE16_2_019222AE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01922EF716_2_01922EF7
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01876E3016_2_01876E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE28EC19_2_04FE28EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F420A019_2_04F420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE20A819_2_04FE20A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2B09019_2_04F2B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDD46619_2_04FDD466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2841F19_2_04F2841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD100219_2_04FD1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2D5E019_2_04F2D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE25DD19_2_04FE25DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4258119_2_04F42581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE1D5519_2_04FE1D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F10D2019_2_04F10D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3412019_2_04F34120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1F90019_2_04F1F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE2D0719_2_04FE2D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE2EF719_2_04FE2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE22AE19_2_04FE22AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F36E3019_2_04F36E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE1FF119_2_04FE1FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDDBD219_2_04FDDBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4EBB019_2_04F4EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE2B2819_2_04FE2B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6E1D519_2_00D6E1D5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6E90319_2_00D6E903
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6D44119_2_00D6D441
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D52D9019_2_00D52D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D52D8719_2_00D52D87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6D56319_2_00D6D563
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D59E4019_2_00D59E40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D59E3B19_2_00D59E3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D52FB019_2_00D52FB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: String function: 0185B150 appears 35 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04F1B150 appears 35 times
          Source: Purchase Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Purchase Order.exe, 00000000.00000002.316200555.0000000006320000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs Purchase Order.exe
          Source: Purchase Order.exe, 00000000.00000002.315638714.0000000005EE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
          Source: Purchase Order.exe, 00000000.00000002.313563096.0000000005240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order.exe
          Source: Purchase Order.exe, 00000000.00000002.305496464.0000000000917000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametV45e.exe2 vs Purchase Order.exe
          Source: Purchase Order.exe, 00000010.00000000.304813686.0000000000D77000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametV45e.exe2 vs Purchase Order.exe
          Source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Purchase Order.exe
          Source: Purchase Order.exe, 00000010.00000002.363433472.000000000194F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order.exe
          Source: Purchase Order.exeBinary or memory string: OriginalFilenametV45e.exe2 vs Purchase Order.exe
          Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/0
          Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_01
          Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order.exeReversingLabs: Detection: 13%
          Source: Purchase Order.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
          Source: Purchase Order.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
          Source: Purchase Order.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
          Source: Purchase Order.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe 'C:\Users\user\Desktop\Purchase Order.exe'
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000011.00000000.333473408.0000000009B40000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase Order.exe, 00000010.00000002.363433472.000000000194F000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase Order.exe, cscript.exe
          Source: Binary string: cscript.pdb source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000011.00000000.333473408.0000000009B40000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Purchase Order.exe, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Purchase Order.exe.830000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Purchase Order.exe.830000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 16.2.Purchase Order.exe.c90000.1.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 16.0.Purchase Order.exe.c90000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0089566C push edi; retf 0_2_0089566F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05143D50 push cs; ret 0_2_05143D51
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05142D96 push cs; ret 0_2_05142D97
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051425E7 push cs; ret 0_2_051425E8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05143448 push cs; ret 0_2_05143449
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05144C9C push cs; ret 0_2_05144C9D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05141CCD push cs; ret 0_2_05141CCE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051437A0 push cs; ret 0_2_051437A1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05141FAE push cs; ret 0_2_05141FAF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051447D5 pushad ; retf 0_2_051447E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0514463C push cs; ret 0_2_0514463D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0514297E push cs; ret 0_2_0514297F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0514496C push cs; ret 0_2_0514496D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0514407B push cs; ret 0_2_0514407C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05145063 push cs; ret 0_2_05145064
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051430EF push cs; ret 0_2_051430F0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05144B05 pushad ; retf 0_2_05144B10
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05142B8A push cs; ret 0_2_05142B8B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051443A6 push cs; ret 0_2_051443A7
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05142250 push cs; ret 0_2_05142251
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05143A78 push cs; ret 0_2_05143A79
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D0D2 push eax; ret 16_2_0041D0D8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D0DB push eax; ret 16_2_0041D142
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D085 push eax; ret 16_2_0041D0D8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D13C push eax; ret 16_2_0041D142
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00416A73 push eax; iretd 16_2_00416A9D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_004176D4 push ss; ret 16_2_004176D6
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_004077D3 push ecx; retf 16_2_0040788B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_004167ED push edi; ret 16_2_004167EF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00CFA934 push edi; retf 16_2_00CFA935
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00CF566C push edi; retf 16_2_00CF566F
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75016432791

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEB
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 1376, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Purchase Order.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000D598E4 second address: 0000000000D598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000D59B5E second address: 0000000000D59B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00409A90 rdtsc 16_2_00409A90
          Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4760Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000011.00000000.331902331.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000011.00000000.331902331.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: explorer.exe, 00000011.00000000.331665021.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000011.00000000.331287030.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000011.00000000.354060611.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000011.00000000.331902331.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000011.00000000.331902331.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000011.00000000.331997751.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000011.00000000.326143838.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000011.00000000.331287030.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000011.00000000.331287030.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000011.00000000.331287030.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00409A90 rdtsc 16_2_00409A90
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0040ACD0 LdrLoadDll,16_2_0040ACD0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187C182 mov eax, dword ptr fs:[00000030h]16_2_0187C182
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882581 mov eax, dword ptr fs:[00000030h]16_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882581 mov eax, dword ptr fs:[00000030h]16_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882581 mov eax, dword ptr fs:[00000030h]16_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882581 mov eax, dword ptr fs:[00000030h]16_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A185 mov eax, dword ptr fs:[00000030h]16_2_0188A185
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188FD9B mov eax, dword ptr fs:[00000030h]16_2_0188FD9B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188FD9B mov eax, dword ptr fs:[00000030h]16_2_0188FD9B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882990 mov eax, dword ptr fs:[00000030h]16_2_01882990
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018861A0 mov eax, dword ptr fs:[00000030h]16_2_018861A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018861A0 mov eax, dword ptr fs:[00000030h]16_2_018861A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018835A1 mov eax, dword ptr fs:[00000030h]16_2_018835A1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D69A6 mov eax, dword ptr fs:[00000030h]16_2_018D69A6
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D51BE mov eax, dword ptr fs:[00000030h]16_2_018D51BE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D51BE mov eax, dword ptr fs:[00000030h]16_2_018D51BE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D51BE mov eax, dword ptr fs:[00000030h]16_2_018D51BE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D51BE mov eax, dword ptr fs:[00000030h]16_2_018D51BE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01881DB5 mov eax, dword ptr fs:[00000030h]16_2_01881DB5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01881DB5 mov eax, dword ptr fs:[00000030h]16_2_01881DB5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01881DB5 mov eax, dword ptr fs:[00000030h]16_2_01881DB5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019205AC mov eax, dword ptr fs:[00000030h]16_2_019205AC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019205AC mov eax, dword ptr fs:[00000030h]16_2_019205AC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov ecx, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01908DF1 mov eax, dword ptr fs:[00000030h]16_2_01908DF1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B1E1 mov eax, dword ptr fs:[00000030h]16_2_0185B1E1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B1E1 mov eax, dword ptr fs:[00000030h]16_2_0185B1E1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B1E1 mov eax, dword ptr fs:[00000030h]16_2_0185B1E1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018E41E8 mov eax, dword ptr fs:[00000030h]16_2_018E41E8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186D5E0 mov eax, dword ptr fs:[00000030h]16_2_0186D5E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186D5E0 mov eax, dword ptr fs:[00000030h]16_2_0186D5E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191FDE2 mov eax, dword ptr fs:[00000030h]16_2_0191FDE2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191FDE2 mov eax, dword ptr fs:[00000030h]16_2_0191FDE2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191FDE2 mov eax, dword ptr fs:[00000030h]16_2_0191FDE2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191FDE2 mov eax, dword ptr fs:[00000030h]16_2_0191FDE2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859100 mov eax, dword ptr fs:[00000030h]16_2_01859100
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859100 mov eax, dword ptr fs:[00000030h]16_2_01859100
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859100 mov eax, dword ptr fs:[00000030h]16_2_01859100
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928D34 mov eax, dword ptr fs:[00000030h]16_2_01928D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov eax, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov eax, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov eax, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov eax, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov ecx, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191E539 mov eax, dword ptr fs:[00000030h]16_2_0191E539
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188513A mov eax, dword ptr fs:[00000030h]16_2_0188513A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188513A mov eax, dword ptr fs:[00000030h]16_2_0188513A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884D3B mov eax, dword ptr fs:[00000030h]16_2_01884D3B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884D3B mov eax, dword ptr fs:[00000030h]16_2_01884D3B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884D3B mov eax, dword ptr fs:[00000030h]16_2_01884D3B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185AD30 mov eax, dword ptr fs:[00000030h]16_2_0185AD30
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018DA537 mov eax, dword ptr fs:[00000030h]16_2_018DA537
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187B944 mov eax, dword ptr fs:[00000030h]16_2_0187B944
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187B944 mov eax, dword ptr fs:[00000030h]16_2_0187B944
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01893D43 mov eax, dword ptr fs:[00000030h]16_2_01893D43
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D3540 mov eax, dword ptr fs:[00000030h]16_2_018D3540
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01877D50 mov eax, dword ptr fs:[00000030h]16_2_01877D50
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185C962 mov eax, dword ptr fs:[00000030h]16_2_0185C962
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187C577 mov eax, dword ptr fs:[00000030h]16_2_0187C577
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187C577 mov eax, dword ptr fs:[00000030h]16_2_0187C577
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B171 mov eax, dword ptr fs:[00000030h]16_2_0185B171
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B171 mov eax, dword ptr fs:[00000030h]16_2_0185B171
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859080 mov eax, dword ptr fs:[00000030h]16_2_01859080
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D3884 mov eax, dword ptr fs:[00000030h]16_2_018D3884
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D3884 mov eax, dword ptr fs:[00000030h]16_2_018D3884
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186849B mov eax, dword ptr fs:[00000030h]16_2_0186849B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018990AF mov eax, dword ptr fs:[00000030h]16_2_018990AF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188F0BF mov ecx, dword ptr fs:[00000030h]16_2_0188F0BF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188F0BF mov eax, dword ptr fs:[00000030h]16_2_0188F0BF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188F0BF mov eax, dword ptr fs:[00000030h]16_2_0188F0BF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928CD6 mov eax, dword ptr fs:[00000030h]16_2_01928CD6
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov ecx, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018558EC mov eax, dword ptr fs:[00000030h]16_2_018558EC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019114FB mov eax, dword ptr fs:[00000030h]16_2_019114FB
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6CF0 mov eax, dword ptr fs:[00000030h]16_2_018D6CF0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6CF0 mov eax, dword ptr fs:[00000030h]16_2_018D6CF0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6CF0 mov eax, dword ptr fs:[00000030h]16_2_018D6CF0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01924015 mov eax, dword ptr fs:[00000030h]16_2_01924015
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01924015 mov eax, dword ptr fs:[00000030h]16_2_01924015
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6C0A mov eax, dword ptr fs:[00000030h]16_2_018D6C0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6C0A mov eax, dword ptr fs:[00000030h]16_2_018D6C0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6C0A mov eax, dword ptr fs:[00000030h]16_2_018D6C0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6C0A mov eax, dword ptr fs:[00000030h]16_2_018D6C0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7016 mov eax, dword ptr fs:[00000030h]16_2_018D7016
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7016 mov eax, dword ptr fs:[00000030h]16_2_018D7016
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7016 mov eax, dword ptr fs:[00000030h]16_2_018D7016
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192740D mov eax, dword ptr fs:[00000030h]16_2_0192740D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192740D mov eax, dword ptr fs:[00000030h]16_2_0192740D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192740D mov eax, dword ptr fs:[00000030h]16_2_0192740D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188BC2C mov eax, dword ptr fs:[00000030h]16_2_0188BC2C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B02A mov eax, dword ptr fs:[00000030h]16_2_0186B02A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B02A mov eax, dword ptr fs:[00000030h]16_2_0186B02A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B02A mov eax, dword ptr fs:[00000030h]16_2_0186B02A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B02A mov eax, dword ptr fs:[00000030h]16_2_0186B02A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A44B mov eax, dword ptr fs:[00000030h]16_2_0188A44B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01870050 mov eax, dword ptr fs:[00000030h]16_2_01870050
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01870050 mov eax, dword ptr fs:[00000030h]16_2_01870050
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EC450 mov eax, dword ptr fs:[00000030h]16_2_018EC450
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EC450 mov eax, dword ptr fs:[00000030h]16_2_018EC450
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01912073 mov eax, dword ptr fs:[00000030h]16_2_01912073
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01921074 mov eax, dword ptr fs:[00000030h]16_2_01921074
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187746D mov eax, dword ptr fs:[00000030h]16_2_0187746D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01861B8F mov eax, dword ptr fs:[00000030h]16_2_01861B8F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01861B8F mov eax, dword ptr fs:[00000030h]16_2_01861B8F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0190D380 mov ecx, dword ptr fs:[00000030h]16_2_0190D380
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01868794 mov eax, dword ptr fs:[00000030h]16_2_01868794
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188B390 mov eax, dword ptr fs:[00000030h]16_2_0188B390
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7794 mov eax, dword ptr fs:[00000030h]16_2_018D7794
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7794 mov eax, dword ptr fs:[00000030h]16_2_018D7794
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7794 mov eax, dword ptr fs:[00000030h]16_2_018D7794
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191138A mov eax, dword ptr fs:[00000030h]16_2_0191138A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882397 mov eax, dword ptr fs:[00000030h]16_2_01882397
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884BAD mov eax, dword ptr fs:[00000030h]16_2_01884BAD
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884BAD mov eax, dword ptr fs:[00000030h]16_2_01884BAD
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884BAD mov eax, dword ptr fs:[00000030h]16_2_01884BAD
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01925BA5 mov eax, dword ptr fs:[00000030h]16_2_01925BA5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D53CA mov eax, dword ptr fs:[00000030h]16_2_018D53CA
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D53CA mov eax, dword ptr fs:[00000030h]16_2_018D53CA
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187DBE9 mov eax, dword ptr fs:[00000030h]16_2_0187DBE9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018937F5 mov eax, dword ptr fs:[00000030h]16_2_018937F5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A70E mov eax, dword ptr fs:[00000030h]16_2_0188A70E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A70E mov eax, dword ptr fs:[00000030h]16_2_0188A70E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191131B mov eax, dword ptr fs:[00000030h]16_2_0191131B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187F716 mov eax, dword ptr fs:[00000030h]16_2_0187F716
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EFF10 mov eax, dword ptr fs:[00000030h]16_2_018EFF10
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EFF10 mov eax, dword ptr fs:[00000030h]16_2_018EFF10
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192070D mov eax, dword ptr fs:[00000030h]16_2_0192070D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192070D mov eax, dword ptr fs:[00000030h]16_2_0192070D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01854F2E mov eax, dword ptr fs:[00000030h]16_2_01854F2E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01854F2E mov eax, dword ptr fs:[00000030h]16_2_01854F2E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188E730 mov eax, dword ptr fs:[00000030h]16_2_0188E730
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185DB40 mov eax, dword ptr fs:[00000030h]16_2_0185DB40
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186EF40 mov eax, dword ptr fs:[00000030h]16_2_0186EF40
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928B58 mov eax, dword ptr fs:[00000030h]16_2_01928B58
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185F358 mov eax, dword ptr fs:[00000030h]16_2_0185F358
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185DB60 mov ecx, dword ptr fs:[00000030h]16_2_0185DB60
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186FF60 mov eax, dword ptr fs:[00000030h]16_2_0186FF60
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01883B7A mov eax, dword ptr fs:[00000030h]16_2_01883B7A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01883B7A mov eax, dword ptr fs:[00000030h]16_2_01883B7A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928F6A mov eax, dword ptr fs:[00000030h]16_2_01928F6A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EFE87 mov eax, dword ptr fs:[00000030h]16_2_018EFE87
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188D294 mov eax, dword ptr fs:[00000030h]16_2_0188D294
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188D294 mov eax, dword ptr fs:[00000030h]16_2_0188D294
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D46A7 mov eax, dword ptr fs:[00000030h]16_2_018D46A7
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186AAB0 mov eax, dword ptr fs:[00000030h]16_2_0186AAB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186AAB0 mov eax, dword ptr fs:[00000030h]16_2_0186AAB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01920EA5 mov eax, dword ptr fs:[00000030h]16_2_01920EA5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01920EA5 mov eax, dword ptr fs:[00000030h]16_2_01920EA5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01920EA5 mov eax, dword ptr fs:[00000030h]16_2_01920EA5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188FAB0 mov eax, dword ptr fs:[00000030h]16_2_0188FAB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882ACB mov eax, dword ptr fs:[00000030h]16_2_01882ACB
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928ED6 mov eax, dword ptr fs:[00000030h]16_2_01928ED6
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018836CC mov eax, dword ptr fs:[00000030h]16_2_018836CC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01898EC7 mov eax, dword ptr fs:[00000030h]16_2_01898EC7
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0190FEC0 mov eax, dword ptr fs:[00000030h]16_2_0190FEC0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018676E2 mov eax, dword ptr fs:[00000030h]16_2_018676E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018816E0 mov ecx, dword ptr fs:[00000030h]16_2_018816E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882AE4 mov eax, dword ptr fs:[00000030h]16_2_01882AE4
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185C600 mov eax, dword ptr fs:[00000030h]16_2_0185C600
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185C600 mov eax, dword ptr fs:[00000030h]16_2_0185C600
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185C600 mov eax, dword ptr fs:[00000030h]16_2_0185C600
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01888E00 mov eax, dword ptr fs:[00000030h]16_2_01888E00
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01868A0A mov eax, dword ptr fs:[00000030h]16_2_01868A0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185AA16 mov eax, dword ptr fs:[00000030h]16_2_0185AA16
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185AA16 mov eax, dword ptr fs:[00000030h]16_2_0185AA16
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A61C mov eax, dword ptr fs:[00000030h]16_2_0188A61C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A61C mov eax, dword ptr fs:[00000030h]16_2_0188A61C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01855210 mov eax, dword ptr fs:[00000030h]16_2_01855210
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01855210 mov ecx, dword ptr fs:[00000030h]16_2_01855210
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01855210 mov eax, dword ptr fs:[00000030h]16_2_01855210
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01855210 mov eax, dword ptr fs:[00000030h]16_2_01855210
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911608 mov eax, dword ptr fs:[00000030h]16_2_01911608
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01873A1C mov eax, dword ptr fs:[00000030h]16_2_01873A1C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185E620 mov eax, dword ptr fs:[00000030h]16_2_0185E620
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01894A2C mov eax, dword ptr fs:[00000030h]16_2_01894A2C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01894A2C mov eax, dword ptr fs:[00000030h]16_2_01894A2C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0190FE3F mov eax, dword ptr fs:[00000030h]16_2_0190FE3F
          Source: C:\Users\user\Desktop\Purchase Order.exe