Windows Analysis Report
PURCHASE ORDER-6350.exe

Overview

General Information

Sample name: PURCHASE ORDER-6350.exe
Analysis ID: 1519455
MD5: f89e05b5582e853a9c1a425bb21736e6
SHA1: 5bee740320eddd8182d71519f3bba8198062c1f1
SHA256: b470d179064081578ef2e125c88c726a11f4129dd2593ccb84e054779ed32a21
Tags: exeuser-TeamDreier
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: PURCHASE ORDER-6350.exe ReversingLabs: Detection: 36%
Yara detected FormBook
Source: Yara match File source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PURCHASE ORDER-6350.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PURCHASE ORDER-6350.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PURCHASE ORDER-6350.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PURCHASE ORDER-6350.exe, PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: nLPq.pdb source: PURCHASE ORDER-6350.exe, fPtPRnPDTzobXQ.exe.0.dr
Source: Binary string: nLPq.pdbSHA256j source: PURCHASE ORDER-6350.exe, fPtPRnPDTzobXQ.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 4x nop then jmp 0767537Dh 0_2_076756F4
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1770780900.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, fPtPRnPDTzobXQ.exe, 00000009.00000002.1894943125.0000000003322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776428016.0000000005804000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PURCHASE ORDER-6350.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0042C283 NtClose, 8_2_0042C283
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262B60 NtClose,LdrInitializeThunk, 8_2_01262B60
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_01262DF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_01262C70
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012635C0 NtCreateMutant,LdrInitializeThunk, 8_2_012635C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01264340 NtSetContextThread, 8_2_01264340
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01264650 NtSuspendThread, 8_2_01264650
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262BA0 NtEnumerateValueKey, 8_2_01262BA0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262B80 NtQueryInformationFile, 8_2_01262B80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262BE0 NtQueryValueKey, 8_2_01262BE0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262BF0 NtAllocateVirtualMemory, 8_2_01262BF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262AB0 NtWaitForSingleObject, 8_2_01262AB0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262AF0 NtWriteFile, 8_2_01262AF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262AD0 NtReadFile, 8_2_01262AD0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262D30 NtUnmapViewOfSection, 8_2_01262D30
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262D00 NtSetInformationFile, 8_2_01262D00
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262D10 NtMapViewOfSection, 8_2_01262D10
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262DB0 NtEnumerateKey, 8_2_01262DB0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262DD0 NtDelayExecution, 8_2_01262DD0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262C00 NtQueryInformationProcess, 8_2_01262C00
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262C60 NtCreateKey, 8_2_01262C60
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262CA0 NtQueryInformationToken, 8_2_01262CA0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262CF0 NtOpenProcess, 8_2_01262CF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262CC0 NtQueryVirtualMemory, 8_2_01262CC0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262F30 NtCreateSection, 8_2_01262F30
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262F60 NtCreateProcessEx, 8_2_01262F60
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262FA0 NtQuerySection, 8_2_01262FA0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262FB0 NtResumeThread, 8_2_01262FB0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262F90 NtProtectVirtualMemory, 8_2_01262F90
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262FE0 NtCreateFile, 8_2_01262FE0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262E30 NtWriteVirtualMemory, 8_2_01262E30
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262EA0 NtAdjustPrivilegesToken, 8_2_01262EA0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262E80 NtReadVirtualMemory, 8_2_01262E80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262EE0 NtQueueApcThread, 8_2_01262EE0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01263010 NtOpenDirectoryObject, 8_2_01263010
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01263090 NtSetValueKey, 8_2_01263090
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012639B0 NtGetContextThread, 8_2_012639B0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01263D10 NtOpenProcessToken, 8_2_01263D10
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01263D70 NtOpenThread, 8_2_01263D70
Detected potential crypto function
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 0_2_02D6D5BC 0_2_02D6D5BC
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 0_2_07675188 0_2_07675188
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 0_2_076705C8 0_2_076705C8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 0_2_076705D8 0_2_076705D8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 0_2_07670E48 0_2_07670E48
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 0_2_07677EE8 0_2_07677EE8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 0_2_07670A10 0_2_07670A10
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0042E8E3 8_2_0042E8E3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0040FA41 8_2_0040FA41
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0040FA43 8_2_0040FA43
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00401260 8_2_00401260
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_004023D0 8_2_004023D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_004163EE 8_2_004163EE
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_004163F3 8_2_004163F3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0040FC63 8_2_0040FC63
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_004014E0 8_2_004014E0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0040DCE3 8_2_0040DCE3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00402F50 8_2_00402F50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00402730 8_2_00402730
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01220100 8_2_01220100
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CA118 8_2_012CA118
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B8158 8_2_012B8158
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F01AA 8_2_012F01AA
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E41A2 8_2_012E41A2
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E81CC 8_2_012E81CC
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EA352 8_2_012EA352
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F03E6 8_2_012F03E6
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E3F0 8_2_0123E3F0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B02C0 8_2_012B02C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230535 8_2_01230535
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F0591 8_2_012F0591
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D4420 8_2_012D4420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E2446 8_2_012E2446
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DE4F6 8_2_012DE4F6
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01254750 8_2_01254750
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122C7C0 8_2_0122C7C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124C6E0 8_2_0124C6E0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01246962 8_2_01246962
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012FA9A6 8_2_012FA9A6
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123A840 8_2_0123A840
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01232840 8_2_01232840
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012168B8 8_2_012168B8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E8F0 8_2_0125E8F0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EAB40 8_2_012EAB40
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E6BD7 8_2_012E6BD7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 8_2_0122EA80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123AD00 8_2_0123AD00
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CCD1F 8_2_012CCD1F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01248DBF 8_2_01248DBF
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122ADE0 8_2_0122ADE0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230C00 8_2_01230C00
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0CB5 8_2_012D0CB5
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01220CF2 8_2_01220CF2
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01272F28 8_2_01272F28
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01250F30 8_2_01250F30
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D2F30 8_2_012D2F30
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A4F40 8_2_012A4F40
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AEFA0 8_2_012AEFA0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01222FC8 8_2_01222FC8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EEE26 8_2_012EEE26
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230E59 8_2_01230E59
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01242E90 8_2_01242E90
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012ECE93 8_2_012ECE93
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EEEDB 8_2_012EEEDB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012FB16B 8_2_012FB16B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0126516C 8_2_0126516C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121F172 8_2_0121F172
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123B1B0 8_2_0123B1B0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E70E9 8_2_012E70E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EF0E0 8_2_012EF0E0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DF0CC 8_2_012DF0CC
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012370C0 8_2_012370C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E132D 8_2_012E132D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121D34C 8_2_0121D34C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0127739A 8_2_0127739A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012352A0 8_2_012352A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D12ED 8_2_012D12ED
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124B2C0 8_2_0124B2C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E7571 8_2_012E7571
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CD5B0 8_2_012CD5B0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F95C3 8_2_012F95C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EF43F 8_2_012EF43F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01221460 8_2_01221460
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EF7B0 8_2_012EF7B0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01275630 8_2_01275630
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E16CC 8_2_012E16CC
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C5910 8_2_012C5910
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01239950 8_2_01239950
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124B950 8_2_0124B950
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129D800 8_2_0129D800
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012338E0 8_2_012338E0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EFB76 8_2_012EFB76
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124FB80 8_2_0124FB80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A5BF0 8_2_012A5BF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0126DBF9 8_2_0126DBF9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A3A6C 8_2_012A3A6C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EFA49 8_2_012EFA49
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E7A46 8_2_012E7A46
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CDAAC 8_2_012CDAAC
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01275AA0 8_2_01275AA0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D1AA3 8_2_012D1AA3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DDAC6 8_2_012DDAC6
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E7D73 8_2_012E7D73
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01233D40 8_2_01233D40
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E1D5A 8_2_012E1D5A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124FDC0 8_2_0124FDC0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A9C32 8_2_012A9C32
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EFCF2 8_2_012EFCF2
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EFF09 8_2_012EFF09
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EFFB1 8_2_012EFFB1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01231F92 8_2_01231F92
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01239EB0 8_2_01239EB0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 9_2_017C4B01 9_2_017C4B01
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 9_2_017CD5BC 9_2_017CD5BC
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01360100 13_2_01360100
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013B6000 13_2_013B6000
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013F02C0 13_2_013F02C0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01370535 13_2_01370535
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01370770 13_2_01370770
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01394750 13_2_01394750
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0136C7C0 13_2_0136C7C0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0138C6E0 13_2_0138C6E0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01386962 13_2_01386962
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013729A0 13_2_013729A0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01372840 13_2_01372840
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0137A840 13_2_0137A840
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013568B8 13_2_013568B8
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013A8890 13_2_013A8890
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0139E8F0 13_2_0139E8F0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0136EA80 13_2_0136EA80
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0137AD00 13_2_0137AD00
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0137ED7A 13_2_0137ED7A
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01388DBF 13_2_01388DBF
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0136ADE0 13_2_0136ADE0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01378DC0 13_2_01378DC0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01370C00 13_2_01370C00
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01360CF2 13_2_01360CF2
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01390F30 13_2_01390F30
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013B2F28 13_2_013B2F28
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013E4F40 13_2_013E4F40
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013EEFA0 13_2_013EEFA0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01362FC8 13_2_01362FC8
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01370E59 13_2_01370E59
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01382E90 13_2_01382E90
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0135F172 13_2_0135F172
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013A516C 13_2_013A516C
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0137B1B0 13_2_0137B1B0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0135D34C 13_2_0135D34C
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013733F3 13_2_013733F3
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013752A0 13_2_013752A0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0138D2F0 13_2_0138D2F0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0138B2C0 13_2_0138B2C0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01361460 13_2_01361460
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01373497 13_2_01373497
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013B74E0 13_2_013B74E0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0137B730 13_2_0137B730
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01379950 13_2_01379950
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0138B950 13_2_0138B950
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01375990 13_2_01375990
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013DD800 13_2_013DD800
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013738E0 13_2_013738E0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0138FB80 13_2_0138FB80
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013ADBF9 13_2_013ADBF9
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013E5BF0 13_2_013E5BF0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013E3A6C 13_2_013E3A6C
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01373D40 13_2_01373D40
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_0138FDC0 13_2_0138FDC0
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013E9C32 13_2_013E9C32
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01389C20 13_2_01389C20
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01371F92 13_2_01371F92
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01379EB0 13_2_01379EB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: String function: 013B7E54 appears 96 times
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: String function: 013DEA12 appears 36 times
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: String function: 0129EA12 appears 86 times
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: String function: 0121B970 appears 265 times
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: String function: 012AF290 appears 105 times
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: String function: 01277E54 appears 108 times
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: String function: 01265130 appears 58 times
Sample file is different than original file name gathered from version info
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1772488639.0000000004232000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PURCHASE ORDER-6350.exe
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1762744588.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PURCHASE ORDER-6350.exe
Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1784968693.0000000009D50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PURCHASE ORDER-6350.exe
Source: PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.000000000131D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PURCHASE ORDER-6350.exe
Source: PURCHASE ORDER-6350.exe Binary or memory string: OriginalFilenamenLPq.exe6 vs PURCHASE ORDER-6350.exe
Uses 32bit PE files
Source: PURCHASE ORDER-6350.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: PURCHASE ORDER-6350.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fPtPRnPDTzobXQ.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, Rk723ArKiTbtcml8Ra.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.cs Security API names: _0020.SetAccessControl
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.cs Security API names: _0020.AddAccessRule
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.cs Security API names: _0020.SetAccessControl
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.cs Security API names: _0020.AddAccessRule
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, Rk723ArKiTbtcml8Ra.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@19/15@0/0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe File created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Mutant created: \Sessions\1\BaseNamedObjects\WPqDITmJcliYxcgAOiUD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe File created: C:\Users\user\AppData\Local\Temp\tmpD091.tmp Jump to behavior
Source: PURCHASE ORDER-6350.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PURCHASE ORDER-6350.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PURCHASE ORDER-6350.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe File read: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PURCHASE ORDER-6350.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PURCHASE ORDER-6350.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PURCHASE ORDER-6350.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PURCHASE ORDER-6350.exe, PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: nLPq.pdb source: PURCHASE ORDER-6350.exe, fPtPRnPDTzobXQ.exe.0.dr
Source: Binary string: nLPq.pdbSHA256j source: PURCHASE ORDER-6350.exe, fPtPRnPDTzobXQ.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: PURCHASE ORDER-6350.exe, VentanaPrincipal.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: fPtPRnPDTzobXQ.exe.0.dr, VentanaPrincipal.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.PURCHASE ORDER-6350.exe.59d0000.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.PURCHASE ORDER-6350.exe.2fc6f18.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.cs .Net Code: SyyWBierHE System.Reflection.Assembly.Load(byte[])
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.cs .Net Code: SyyWBierHE System.Reflection.Assembly.Load(byte[])
Source: 9.2.fPtPRnPDTzobXQ.exe.3306f2c.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: PURCHASE ORDER-6350.exe Static PE information: 0xEA84B806 [Sun Sep 5 23:06:46 2094 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 0_2_07674B02 push esp; retf 0_2_07674B09
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0041A87D push esp; retf 8_2_0041A87E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0040710D pushfd ; retf 8_2_0040710E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00423916 push esi; retf 8_2_0042392E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00423923 push esi; retf 8_2_0042392E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_004031D0 push eax; ret 8_2_004031D2
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00418B76 push ebx; retf 8_2_00418B77
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00423B35 push cs; retf 8_2_00423B36
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0041A3C1 push edi; retf 8_2_0041A3C7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_004143E3 push edi; iretd 8_2_004143EF
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00423C2F push C67CA722h; ret 8_2_00423C34
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00411DA3 push edi; iretd 8_2_00411DAF
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_00424700 push ecx; retf 8_2_00424749
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_004247A8 push edi; ret 8_2_004247AC
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_011F225F pushad ; ret 8_2_011F27F9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_011F27FA pushad ; ret 8_2_011F27F9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012209AD push ecx; mov dword ptr [esp], ecx 8_2_012209B6
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_011F283D push eax; iretd 8_2_011F2858
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_011F1368 push eax; iretd 8_2_011F1369
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 9_2_017CE9FB pushfd ; retf 9_2_017CEA01
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 9_2_017CF113 push eax; iretd 9_2_017CF119
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013AC54F push 8B013367h; ret 13_2_013AC554
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013AC54D pushfd ; ret 13_2_013AC54E
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013609AD push ecx; mov dword ptr [esp], ecx 13_2_013609B6
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013AC9D7 push edi; ret 13_2_013AC9D9
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01331344 push eax; iretd 13_2_01331369
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_01331FEC push eax; iretd 13_2_01331FED
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Code function: 13_2_013B7E99 push ecx; ret 13_2_013B7EAC
Source: PURCHASE ORDER-6350.exe Static PE information: section name: .text entropy: 7.849261127100481
Source: fPtPRnPDTzobXQ.exe.0.dr Static PE information: section name: .text entropy: 7.849261127100481
Source: 0.2.PURCHASE ORDER-6350.exe.59d0000.2.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.PURCHASE ORDER-6350.exe.59d0000.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.PURCHASE ORDER-6350.exe.2fc6f18.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.PURCHASE ORDER-6350.exe.2fc6f18.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, KsrdrsOdVPvjmXHTLr.cs High entropy of concatenated method names: 'lwjZCVnYA4', 'dyrZNdF7q0', 'vIdZBMkjeB', 'swaZktlEtA', 'X11ZfRHwZs', 'haRZ162bjV', 'gvaZ7Sqgh4', 'RtxZrpD7BU', 'jijZtO34RU', 'R6fZFbJHY5'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, undML2y4V1go0ZJeQP.cs High entropy of concatenated method names: 'WgjXHjfv8v', 'L4lXi39TNQ', 'ympXyHJEX5', 'duyXlf5fMI', 'KPiXe4XulY', 'BmcXE01wop', 'hxyX48CNgJ', 'DpwX0EX0lh', 'IvqXYy3sBr', 'Y2UXwJIKvk'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, VCADiltTrh3sqYg5xc.cs High entropy of concatenated method names: 'eXZPkCiWWT', 'cB3P19eler', 'zRKPrLqx8l', 'dmkPtL7iHU', 'ogIPX7TrfL', 'sJMPuItO8V', 'Ha4P5bSnUW', 'GkfPdI89QD', 'W52PjYk61V', 'NJoPn1Ddj1'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, iBiV2C2Vc6aMIgSOoj.cs High entropy of concatenated method names: 'hVW5b3hCgh', 'rbF5VgTfOG', 'zVbd9o5kVD', 'pLmd6rxbAs', 'c7A5DbU7Zh', 'UBw5iyBOVr', 'u125G2eDg9', 'Qli5yMsUJe', 'n115lHkOsX', 'SP75AotGGd'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, E6tjfjQhZwuvpgS8ED.cs High entropy of concatenated method names: 'MgXxKQvDWQ', 'z4FxamfRYw', 'TUcxhsNmfi', 'I6wxZu1luv', 'y0VxR3Hxqw', 'yZthcfvKls', 'GQPh26aPdN', 'FbMhgyZE4I', 'yrvhbSfed6', 'ynBh3A5d5A'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, aJbcMuGWYyPnxPuAfh.cs High entropy of concatenated method names: 'qTILrEPJar', 'KElLtmyxpO', 'txNLQm0i1x', 'dueLeZER2i', 'clRL4BM0vx', 'xeHL039IY2', 'pToLwNFI7X', 'G8KLs4p4m3', 'SeILHHNPPa', 'JWvLDe9I0o'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, lNVCUfPgOf8vVXOPFR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yAnq3EH8o9', 'Vg3qVVXawN', 'AraqzE8AtX', 'dAES9wAnkn', 'u1IS6W8W7R', 'eisSqoa0Fq', 'K9QSSpi6nI', 'xnasH2IBeFeuNihjVkU'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, zqpCvEwpXNDhxphlvP.cs High entropy of concatenated method names: 'oo4ZvpKQHi', 'jKUZPc7dD2', 'yVNZxEFB8W', 'PYBxV5orUb', 'H5xxz5fH3t', 'WvWZ9DyCGP', 'taMZ6Ksi11', 'hCeZq4l6h9', 'GGXZSsMfpJ', 'bmLZWKR64J'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, zMkoDZzFwaQcW7eJCv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hggjLFi6Hk', 'yVIjX57ivJ', 'WKajuLK3Jq', 'Teoj5EF60I', 'mwrjdw9BQ1', 'gHhjjtfaec', 'le0jneLRyA'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, qAx10cWHgAE7nPkcKV.cs High entropy of concatenated method names: 'sKl6Zk723A', 'eiT6Rbtcml', 'STr6oh3sqY', 'W5x6TcS2LZ', 'GsQ6XlHt6t', 'rfj6uhZwuv', 'thXPv1Euw3kghU9j3e', 'hLB4EkpJgJwv2RckfG', 'cvo6679yHD', 'aLj6SVJFfj'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, bQqa3CbKB0K6BwvSlg.cs High entropy of concatenated method names: 'rPkdvJT43s', 'kXhda0xSmI', 'Y9CdPp4NJc', 'x7odh7hspb', 'l6Qdx6aXrp', 'EmodZsR6hI', 'ih1dRjm3jw', 'KPddIlqgHF', 'BPwdoalF1D', 'VkNdTPVOWn'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, AZMFiKAOIrw31C7ywp.cs High entropy of concatenated method names: 'ToString', 'j9puDvnjNA', 'NP6ueTk8qh', 'paJuE872rx', 'mxcu47MA2F', 'Uk2u0YSX2F', 'mqBuYJnVFP', 'vqcuw8Nq3Y', 'XpfusntDHl', 'R3WuOBeDBQ'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, Rk723ArKiTbtcml8Ra.cs High entropy of concatenated method names: 'jefaynLnSb', 'NpDal1Jvnm', 'uJXaAPtNmb', 'm57aMiqMfA', 'kvkacsnXZ4', 'yVYa2xfcUF', 'NEdagRP5bQ', 'w8oabBhH2M', 'UMBa3lFgVR', 'XGwaV96dHb'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, ya5aN7q4QEmDi4qyRj.cs High entropy of concatenated method names: 'vfIBLAuQc', 'PuDkZyN0u', 'ALU16HUJt', 'FKS7q5VnB', 'cv4t8TaKk', 'aP9FRhqn2', 'MDGl6U9tYrAdePDbRM', 'zmv5kpsOHf3I65GBDr', 'NLNdjesep', 'U5xnCIiqH'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, TLjILTVf9QWymvEYaL.cs High entropy of concatenated method names: 'QBRj68XjUb', 'nGnjS7h44o', 'tWBjWQgAFG', 'AyOjvnpWE7', 'M0Pjaih2Qo', 'n35jhqEY6t', 'NoMjxyw3kS', 'APbdg5HgOc', 'hJsdbt7lqy', 'Ye8d3oh28j'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.cs High entropy of concatenated method names: 'g0USKMhSSG', 'isaSvRbuQu', 'we0SaR2PaO', 'CdBSPSRIGU', 'kNAShPxLIy', 'DTLSxRCktm', 'pgASZOASDP', 'bBTSRdlS4L', 'IpdSId6KTP', 'eANSoFQpCK'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, Ij5Reu6SUZNHtMPmcKG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HXnnyt86rd', 'FWtnlVrZJN', 'LwinAP1tsd', 'ePDnMVGydv', 'rEqncbBs5d', 'Pm8n2RQvSJ', 'agcng05vpg'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, d2LZDOFei5OokQsQlH.cs High entropy of concatenated method names: 'dCkhfS24nG', 'jj4h7YK8I6', 'NYGPERgsBW', 'mpUP4mhmRn', 'ANfP0jhQBD', 'iMMPYSrSLa', 'Vb8PwU2LZH', 'jKAPsBHaQe', 'fMFPORoREE', 'd6rPH9xEcH'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, EBAJ9F69KN4UpmhYvh7.cs High entropy of concatenated method names: 'e66jCiCMTI', 'OWCjNjMyBk', 'OI3jBIYHad', 'RFIjkHXgb5', 'FV3jfdF1VP', 'QJmj1BvpqW', 'DBFj7W5Yq1', 'xNrjr4BF5l', 'RNljtlgNw7', 'SeajFWmEEj'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, iN9InB3Hg4ond1noeE.cs High entropy of concatenated method names: 'j3JdQtmdkB', 'u3Vde5Jtyq', 'PfUdEUEw8Z', 'XGLd4IBv2h', 'Flwdy5WvTi', 'Mx5d0wF3Nv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, lxPrpGa8NRbiScClQu.cs High entropy of concatenated method names: 'Dispose', 'n4e63KxOdI', 'KXcqeXC3wM', 'kbhvvjEFvw', 'LqQ6Vqa3CK', 'z0K6z6BwvS', 'ProcessDialogKey', 'Sgxq9N9InB', 'Ng4q6ond1n', 'meEqqMLjIL'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, t1MhDy4HE7FMV40LBR.cs High entropy of concatenated method names: 'R2Kx8EALSL', 'wArxCFfqLi', 'qNOxBIbT8q', 'Lyhxkej93Q', 'X5dx1NRupe', 'ATTx7HR8pb', 'zp0xtcpmns', 'G2UxFgZmho', 'WGujAZ3YPOchmnrvlEj', 'O3NtXQ3HEqDY72diVvl'
Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, Yhvd09McYIBPwo6BUE.cs High entropy of concatenated method names: 'ekg5oBlOj8', 'eKq5TBM7OE', 'ToString', 'r0I5vTOPKv', 'Gv05ayXeoV', 'Y235PiNUQm', 'L3i5hpMGsi', 'JoI5xQNVBH', 'F0r5Zo6Fhc', 'JD65RpYMF8'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, KsrdrsOdVPvjmXHTLr.cs High entropy of concatenated method names: 'lwjZCVnYA4', 'dyrZNdF7q0', 'vIdZBMkjeB', 'swaZktlEtA', 'X11ZfRHwZs', 'haRZ162bjV', 'gvaZ7Sqgh4', 'RtxZrpD7BU', 'jijZtO34RU', 'R6fZFbJHY5'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, undML2y4V1go0ZJeQP.cs High entropy of concatenated method names: 'WgjXHjfv8v', 'L4lXi39TNQ', 'ympXyHJEX5', 'duyXlf5fMI', 'KPiXe4XulY', 'BmcXE01wop', 'hxyX48CNgJ', 'DpwX0EX0lh', 'IvqXYy3sBr', 'Y2UXwJIKvk'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, VCADiltTrh3sqYg5xc.cs High entropy of concatenated method names: 'eXZPkCiWWT', 'cB3P19eler', 'zRKPrLqx8l', 'dmkPtL7iHU', 'ogIPX7TrfL', 'sJMPuItO8V', 'Ha4P5bSnUW', 'GkfPdI89QD', 'W52PjYk61V', 'NJoPn1Ddj1'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, iBiV2C2Vc6aMIgSOoj.cs High entropy of concatenated method names: 'hVW5b3hCgh', 'rbF5VgTfOG', 'zVbd9o5kVD', 'pLmd6rxbAs', 'c7A5DbU7Zh', 'UBw5iyBOVr', 'u125G2eDg9', 'Qli5yMsUJe', 'n115lHkOsX', 'SP75AotGGd'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, E6tjfjQhZwuvpgS8ED.cs High entropy of concatenated method names: 'MgXxKQvDWQ', 'z4FxamfRYw', 'TUcxhsNmfi', 'I6wxZu1luv', 'y0VxR3Hxqw', 'yZthcfvKls', 'GQPh26aPdN', 'FbMhgyZE4I', 'yrvhbSfed6', 'ynBh3A5d5A'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, aJbcMuGWYyPnxPuAfh.cs High entropy of concatenated method names: 'qTILrEPJar', 'KElLtmyxpO', 'txNLQm0i1x', 'dueLeZER2i', 'clRL4BM0vx', 'xeHL039IY2', 'pToLwNFI7X', 'G8KLs4p4m3', 'SeILHHNPPa', 'JWvLDe9I0o'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, lNVCUfPgOf8vVXOPFR.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yAnq3EH8o9', 'Vg3qVVXawN', 'AraqzE8AtX', 'dAES9wAnkn', 'u1IS6W8W7R', 'eisSqoa0Fq', 'K9QSSpi6nI', 'xnasH2IBeFeuNihjVkU'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, zqpCvEwpXNDhxphlvP.cs High entropy of concatenated method names: 'oo4ZvpKQHi', 'jKUZPc7dD2', 'yVNZxEFB8W', 'PYBxV5orUb', 'H5xxz5fH3t', 'WvWZ9DyCGP', 'taMZ6Ksi11', 'hCeZq4l6h9', 'GGXZSsMfpJ', 'bmLZWKR64J'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, zMkoDZzFwaQcW7eJCv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hggjLFi6Hk', 'yVIjX57ivJ', 'WKajuLK3Jq', 'Teoj5EF60I', 'mwrjdw9BQ1', 'gHhjjtfaec', 'le0jneLRyA'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, qAx10cWHgAE7nPkcKV.cs High entropy of concatenated method names: 'sKl6Zk723A', 'eiT6Rbtcml', 'STr6oh3sqY', 'W5x6TcS2LZ', 'GsQ6XlHt6t', 'rfj6uhZwuv', 'thXPv1Euw3kghU9j3e', 'hLB4EkpJgJwv2RckfG', 'cvo6679yHD', 'aLj6SVJFfj'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, bQqa3CbKB0K6BwvSlg.cs High entropy of concatenated method names: 'rPkdvJT43s', 'kXhda0xSmI', 'Y9CdPp4NJc', 'x7odh7hspb', 'l6Qdx6aXrp', 'EmodZsR6hI', 'ih1dRjm3jw', 'KPddIlqgHF', 'BPwdoalF1D', 'VkNdTPVOWn'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, AZMFiKAOIrw31C7ywp.cs High entropy of concatenated method names: 'ToString', 'j9puDvnjNA', 'NP6ueTk8qh', 'paJuE872rx', 'mxcu47MA2F', 'Uk2u0YSX2F', 'mqBuYJnVFP', 'vqcuw8Nq3Y', 'XpfusntDHl', 'R3WuOBeDBQ'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, Rk723ArKiTbtcml8Ra.cs High entropy of concatenated method names: 'jefaynLnSb', 'NpDal1Jvnm', 'uJXaAPtNmb', 'm57aMiqMfA', 'kvkacsnXZ4', 'yVYa2xfcUF', 'NEdagRP5bQ', 'w8oabBhH2M', 'UMBa3lFgVR', 'XGwaV96dHb'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, ya5aN7q4QEmDi4qyRj.cs High entropy of concatenated method names: 'vfIBLAuQc', 'PuDkZyN0u', 'ALU16HUJt', 'FKS7q5VnB', 'cv4t8TaKk', 'aP9FRhqn2', 'MDGl6U9tYrAdePDbRM', 'zmv5kpsOHf3I65GBDr', 'NLNdjesep', 'U5xnCIiqH'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, TLjILTVf9QWymvEYaL.cs High entropy of concatenated method names: 'QBRj68XjUb', 'nGnjS7h44o', 'tWBjWQgAFG', 'AyOjvnpWE7', 'M0Pjaih2Qo', 'n35jhqEY6t', 'NoMjxyw3kS', 'APbdg5HgOc', 'hJsdbt7lqy', 'Ye8d3oh28j'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.cs High entropy of concatenated method names: 'g0USKMhSSG', 'isaSvRbuQu', 'we0SaR2PaO', 'CdBSPSRIGU', 'kNAShPxLIy', 'DTLSxRCktm', 'pgASZOASDP', 'bBTSRdlS4L', 'IpdSId6KTP', 'eANSoFQpCK'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, Ij5Reu6SUZNHtMPmcKG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HXnnyt86rd', 'FWtnlVrZJN', 'LwinAP1tsd', 'ePDnMVGydv', 'rEqncbBs5d', 'Pm8n2RQvSJ', 'agcng05vpg'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, d2LZDOFei5OokQsQlH.cs High entropy of concatenated method names: 'dCkhfS24nG', 'jj4h7YK8I6', 'NYGPERgsBW', 'mpUP4mhmRn', 'ANfP0jhQBD', 'iMMPYSrSLa', 'Vb8PwU2LZH', 'jKAPsBHaQe', 'fMFPORoREE', 'd6rPH9xEcH'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, EBAJ9F69KN4UpmhYvh7.cs High entropy of concatenated method names: 'e66jCiCMTI', 'OWCjNjMyBk', 'OI3jBIYHad', 'RFIjkHXgb5', 'FV3jfdF1VP', 'QJmj1BvpqW', 'DBFj7W5Yq1', 'xNrjr4BF5l', 'RNljtlgNw7', 'SeajFWmEEj'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, iN9InB3Hg4ond1noeE.cs High entropy of concatenated method names: 'j3JdQtmdkB', 'u3Vde5Jtyq', 'PfUdEUEw8Z', 'XGLd4IBv2h', 'Flwdy5WvTi', 'Mx5d0wF3Nv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, lxPrpGa8NRbiScClQu.cs High entropy of concatenated method names: 'Dispose', 'n4e63KxOdI', 'KXcqeXC3wM', 'kbhvvjEFvw', 'LqQ6Vqa3CK', 'z0K6z6BwvS', 'ProcessDialogKey', 'Sgxq9N9InB', 'Ng4q6ond1n', 'meEqqMLjIL'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, t1MhDy4HE7FMV40LBR.cs High entropy of concatenated method names: 'R2Kx8EALSL', 'wArxCFfqLi', 'qNOxBIbT8q', 'Lyhxkej93Q', 'X5dx1NRupe', 'ATTx7HR8pb', 'zp0xtcpmns', 'G2UxFgZmho', 'WGujAZ3YPOchmnrvlEj', 'O3NtXQ3HEqDY72diVvl'
Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, Yhvd09McYIBPwo6BUE.cs High entropy of concatenated method names: 'ekg5oBlOj8', 'eKq5TBM7OE', 'ToString', 'r0I5vTOPKv', 'Gv05ayXeoV', 'Y235PiNUQm', 'L3i5hpMGsi', 'JoI5xQNVBH', 'F0r5Zo6Fhc', 'JD65RpYMF8'
Source: 9.2.fPtPRnPDTzobXQ.exe.3306f2c.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 9.2.fPtPRnPDTzobXQ.exe.3306f2c.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Drops PE files
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe File created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PURCHASE ORDER-6350.exe PID: 7460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: fPtPRnPDTzobXQ.exe PID: 7948, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory allocated: 1410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory allocated: 1410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory allocated: 9EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory allocated: AEE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory allocated: B120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory allocated: C120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Memory allocated: 17C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Memory allocated: 32D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Memory allocated: 31D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Memory allocated: 7BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Memory allocated: 8BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Memory allocated: 8D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Memory allocated: 9D70000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0126096E rdtsc 8_2_0126096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2540 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4779 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe TID: 7480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7752 Thread sleep count: 2540 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756 Thread sleep count: 98 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7960 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe TID: 7920 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe TID: 8108 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe TID: 7180 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: fPtPRnPDTzobXQ.exe, 00000009.00000002.1854768936.00000000015B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0126096E rdtsc 8_2_0126096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_004173A3 LdrLoadDll, 8_2_004173A3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01250124 mov eax, dword ptr fs:[00000030h] 8_2_01250124
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov ecx, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov ecx, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov ecx, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE10E mov ecx, dword ptr fs:[00000030h] 8_2_012CE10E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CA118 mov ecx, dword ptr fs:[00000030h] 8_2_012CA118
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CA118 mov eax, dword ptr fs:[00000030h] 8_2_012CA118
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CA118 mov eax, dword ptr fs:[00000030h] 8_2_012CA118
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CA118 mov eax, dword ptr fs:[00000030h] 8_2_012CA118
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E0115 mov eax, dword ptr fs:[00000030h] 8_2_012E0115
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4164 mov eax, dword ptr fs:[00000030h] 8_2_012F4164
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4164 mov eax, dword ptr fs:[00000030h] 8_2_012F4164
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B4144 mov eax, dword ptr fs:[00000030h] 8_2_012B4144
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B4144 mov eax, dword ptr fs:[00000030h] 8_2_012B4144
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B4144 mov ecx, dword ptr fs:[00000030h] 8_2_012B4144
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B4144 mov eax, dword ptr fs:[00000030h] 8_2_012B4144
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B4144 mov eax, dword ptr fs:[00000030h] 8_2_012B4144
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B8158 mov eax, dword ptr fs:[00000030h] 8_2_012B8158
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226154 mov eax, dword ptr fs:[00000030h] 8_2_01226154
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226154 mov eax, dword ptr fs:[00000030h] 8_2_01226154
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121C156 mov eax, dword ptr fs:[00000030h] 8_2_0121C156
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01260185 mov eax, dword ptr fs:[00000030h] 8_2_01260185
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DC188 mov eax, dword ptr fs:[00000030h] 8_2_012DC188
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DC188 mov eax, dword ptr fs:[00000030h] 8_2_012DC188
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C4180 mov eax, dword ptr fs:[00000030h] 8_2_012C4180
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C4180 mov eax, dword ptr fs:[00000030h] 8_2_012C4180
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A019F mov eax, dword ptr fs:[00000030h] 8_2_012A019F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A019F mov eax, dword ptr fs:[00000030h] 8_2_012A019F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A019F mov eax, dword ptr fs:[00000030h] 8_2_012A019F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A019F mov eax, dword ptr fs:[00000030h] 8_2_012A019F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121A197 mov eax, dword ptr fs:[00000030h] 8_2_0121A197
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121A197 mov eax, dword ptr fs:[00000030h] 8_2_0121A197
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121A197 mov eax, dword ptr fs:[00000030h] 8_2_0121A197
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F61E5 mov eax, dword ptr fs:[00000030h] 8_2_012F61E5
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012501F8 mov eax, dword ptr fs:[00000030h] 8_2_012501F8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E61C3 mov eax, dword ptr fs:[00000030h] 8_2_012E61C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E61C3 mov eax, dword ptr fs:[00000030h] 8_2_012E61C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0129E1D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0129E1D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E1D0 mov ecx, dword ptr fs:[00000030h] 8_2_0129E1D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0129E1D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0129E1D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121A020 mov eax, dword ptr fs:[00000030h] 8_2_0121A020
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121C020 mov eax, dword ptr fs:[00000030h] 8_2_0121C020
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B6030 mov eax, dword ptr fs:[00000030h] 8_2_012B6030
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A4000 mov ecx, dword ptr fs:[00000030h] 8_2_012A4000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h] 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h] 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h] 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h] 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h] 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h] 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h] 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h] 8_2_012C2000
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E016 mov eax, dword ptr fs:[00000030h] 8_2_0123E016
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E016 mov eax, dword ptr fs:[00000030h] 8_2_0123E016
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E016 mov eax, dword ptr fs:[00000030h] 8_2_0123E016
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E016 mov eax, dword ptr fs:[00000030h] 8_2_0123E016
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124C073 mov eax, dword ptr fs:[00000030h] 8_2_0124C073
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01222050 mov eax, dword ptr fs:[00000030h] 8_2_01222050
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A6050 mov eax, dword ptr fs:[00000030h] 8_2_012A6050
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012180A0 mov eax, dword ptr fs:[00000030h] 8_2_012180A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B80A8 mov eax, dword ptr fs:[00000030h] 8_2_012B80A8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E60B8 mov eax, dword ptr fs:[00000030h] 8_2_012E60B8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E60B8 mov ecx, dword ptr fs:[00000030h] 8_2_012E60B8
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122208A mov eax, dword ptr fs:[00000030h] 8_2_0122208A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121A0E3 mov ecx, dword ptr fs:[00000030h] 8_2_0121A0E3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A60E0 mov eax, dword ptr fs:[00000030h] 8_2_012A60E0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012280E9 mov eax, dword ptr fs:[00000030h] 8_2_012280E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121C0F0 mov eax, dword ptr fs:[00000030h] 8_2_0121C0F0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012620F0 mov ecx, dword ptr fs:[00000030h] 8_2_012620F0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A20DE mov eax, dword ptr fs:[00000030h] 8_2_012A20DE
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F8324 mov eax, dword ptr fs:[00000030h] 8_2_012F8324
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F8324 mov ecx, dword ptr fs:[00000030h] 8_2_012F8324
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F8324 mov eax, dword ptr fs:[00000030h] 8_2_012F8324
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F8324 mov eax, dword ptr fs:[00000030h] 8_2_012F8324
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A30B mov eax, dword ptr fs:[00000030h] 8_2_0125A30B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A30B mov eax, dword ptr fs:[00000030h] 8_2_0125A30B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A30B mov eax, dword ptr fs:[00000030h] 8_2_0125A30B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121C310 mov ecx, dword ptr fs:[00000030h] 8_2_0121C310
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01240310 mov ecx, dword ptr fs:[00000030h] 8_2_01240310
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C437C mov eax, dword ptr fs:[00000030h] 8_2_012C437C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F634F mov eax, dword ptr fs:[00000030h] 8_2_012F634F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h] 8_2_012A2349
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A035C mov eax, dword ptr fs:[00000030h] 8_2_012A035C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A035C mov eax, dword ptr fs:[00000030h] 8_2_012A035C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A035C mov eax, dword ptr fs:[00000030h] 8_2_012A035C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A035C mov ecx, dword ptr fs:[00000030h] 8_2_012A035C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A035C mov eax, dword ptr fs:[00000030h] 8_2_012A035C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A035C mov eax, dword ptr fs:[00000030h] 8_2_012A035C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EA352 mov eax, dword ptr fs:[00000030h] 8_2_012EA352
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C8350 mov ecx, dword ptr fs:[00000030h] 8_2_012C8350
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121E388 mov eax, dword ptr fs:[00000030h] 8_2_0121E388
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121E388 mov eax, dword ptr fs:[00000030h] 8_2_0121E388
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121E388 mov eax, dword ptr fs:[00000030h] 8_2_0121E388
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124438F mov eax, dword ptr fs:[00000030h] 8_2_0124438F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124438F mov eax, dword ptr fs:[00000030h] 8_2_0124438F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01218397 mov eax, dword ptr fs:[00000030h] 8_2_01218397
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01218397 mov eax, dword ptr fs:[00000030h] 8_2_01218397
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01218397 mov eax, dword ptr fs:[00000030h] 8_2_01218397
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h] 8_2_012303E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h] 8_2_012303E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h] 8_2_012303E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h] 8_2_012303E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h] 8_2_012303E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h] 8_2_012303E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h] 8_2_012303E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h] 8_2_012303E9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E3F0 mov eax, dword ptr fs:[00000030h] 8_2_0123E3F0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E3F0 mov eax, dword ptr fs:[00000030h] 8_2_0123E3F0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E3F0 mov eax, dword ptr fs:[00000030h] 8_2_0123E3F0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012563FF mov eax, dword ptr fs:[00000030h] 8_2_012563FF
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DC3CD mov eax, dword ptr fs:[00000030h] 8_2_012DC3CD
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0122A3C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0122A3C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0122A3C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0122A3C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0122A3C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0122A3C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012283C0 mov eax, dword ptr fs:[00000030h] 8_2_012283C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012283C0 mov eax, dword ptr fs:[00000030h] 8_2_012283C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012283C0 mov eax, dword ptr fs:[00000030h] 8_2_012283C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012283C0 mov eax, dword ptr fs:[00000030h] 8_2_012283C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A63C0 mov eax, dword ptr fs:[00000030h] 8_2_012A63C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE3DB mov eax, dword ptr fs:[00000030h] 8_2_012CE3DB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE3DB mov eax, dword ptr fs:[00000030h] 8_2_012CE3DB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE3DB mov ecx, dword ptr fs:[00000030h] 8_2_012CE3DB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CE3DB mov eax, dword ptr fs:[00000030h] 8_2_012CE3DB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C43D4 mov eax, dword ptr fs:[00000030h] 8_2_012C43D4
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C43D4 mov eax, dword ptr fs:[00000030h] 8_2_012C43D4
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121823B mov eax, dword ptr fs:[00000030h] 8_2_0121823B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01224260 mov eax, dword ptr fs:[00000030h] 8_2_01224260
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01224260 mov eax, dword ptr fs:[00000030h] 8_2_01224260
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01224260 mov eax, dword ptr fs:[00000030h] 8_2_01224260
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121826B mov eax, dword ptr fs:[00000030h] 8_2_0121826B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h] 8_2_012D0274
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A8243 mov eax, dword ptr fs:[00000030h] 8_2_012A8243
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A8243 mov ecx, dword ptr fs:[00000030h] 8_2_012A8243
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121A250 mov eax, dword ptr fs:[00000030h] 8_2_0121A250
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F625D mov eax, dword ptr fs:[00000030h] 8_2_012F625D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226259 mov eax, dword ptr fs:[00000030h] 8_2_01226259
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DA250 mov eax, dword ptr fs:[00000030h] 8_2_012DA250
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DA250 mov eax, dword ptr fs:[00000030h] 8_2_012DA250
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012302A0 mov eax, dword ptr fs:[00000030h] 8_2_012302A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012302A0 mov eax, dword ptr fs:[00000030h] 8_2_012302A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h] 8_2_012B62A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B62A0 mov ecx, dword ptr fs:[00000030h] 8_2_012B62A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h] 8_2_012B62A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h] 8_2_012B62A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h] 8_2_012B62A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h] 8_2_012B62A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E284 mov eax, dword ptr fs:[00000030h] 8_2_0125E284
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E284 mov eax, dword ptr fs:[00000030h] 8_2_0125E284
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A0283 mov eax, dword ptr fs:[00000030h] 8_2_012A0283
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A0283 mov eax, dword ptr fs:[00000030h] 8_2_012A0283
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A0283 mov eax, dword ptr fs:[00000030h] 8_2_012A0283
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012302E1 mov eax, dword ptr fs:[00000030h] 8_2_012302E1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012302E1 mov eax, dword ptr fs:[00000030h] 8_2_012302E1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012302E1 mov eax, dword ptr fs:[00000030h] 8_2_012302E1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0122A2C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0122A2C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0122A2C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0122A2C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0122A2C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F62D6 mov eax, dword ptr fs:[00000030h] 8_2_012F62D6
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230535 mov eax, dword ptr fs:[00000030h] 8_2_01230535
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230535 mov eax, dword ptr fs:[00000030h] 8_2_01230535
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230535 mov eax, dword ptr fs:[00000030h] 8_2_01230535
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230535 mov eax, dword ptr fs:[00000030h] 8_2_01230535
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230535 mov eax, dword ptr fs:[00000030h] 8_2_01230535
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230535 mov eax, dword ptr fs:[00000030h] 8_2_01230535
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h] 8_2_0124E53E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h] 8_2_0124E53E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h] 8_2_0124E53E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h] 8_2_0124E53E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h] 8_2_0124E53E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B6500 mov eax, dword ptr fs:[00000030h] 8_2_012B6500
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h] 8_2_012F4500
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h] 8_2_012F4500
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h] 8_2_012F4500
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h] 8_2_012F4500
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h] 8_2_012F4500
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h] 8_2_012F4500
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h] 8_2_012F4500
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125656A mov eax, dword ptr fs:[00000030h] 8_2_0125656A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125656A mov eax, dword ptr fs:[00000030h] 8_2_0125656A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125656A mov eax, dword ptr fs:[00000030h] 8_2_0125656A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01228550 mov eax, dword ptr fs:[00000030h] 8_2_01228550
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01228550 mov eax, dword ptr fs:[00000030h] 8_2_01228550
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A05A7 mov eax, dword ptr fs:[00000030h] 8_2_012A05A7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A05A7 mov eax, dword ptr fs:[00000030h] 8_2_012A05A7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A05A7 mov eax, dword ptr fs:[00000030h] 8_2_012A05A7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012445B1 mov eax, dword ptr fs:[00000030h] 8_2_012445B1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012445B1 mov eax, dword ptr fs:[00000030h] 8_2_012445B1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01222582 mov eax, dword ptr fs:[00000030h] 8_2_01222582
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01222582 mov ecx, dword ptr fs:[00000030h] 8_2_01222582
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01254588 mov eax, dword ptr fs:[00000030h] 8_2_01254588
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E59C mov eax, dword ptr fs:[00000030h] 8_2_0125E59C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012225E0 mov eax, dword ptr fs:[00000030h] 8_2_012225E0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0124E5E7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0124E5E7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0124E5E7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0124E5E7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0124E5E7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0124E5E7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0124E5E7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0124E5E7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125C5ED mov eax, dword ptr fs:[00000030h] 8_2_0125C5ED
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125C5ED mov eax, dword ptr fs:[00000030h] 8_2_0125C5ED
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E5CF mov eax, dword ptr fs:[00000030h] 8_2_0125E5CF
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E5CF mov eax, dword ptr fs:[00000030h] 8_2_0125E5CF
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012265D0 mov eax, dword ptr fs:[00000030h] 8_2_012265D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A5D0 mov eax, dword ptr fs:[00000030h] 8_2_0125A5D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A5D0 mov eax, dword ptr fs:[00000030h] 8_2_0125A5D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121E420 mov eax, dword ptr fs:[00000030h] 8_2_0121E420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121E420 mov eax, dword ptr fs:[00000030h] 8_2_0121E420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121E420 mov eax, dword ptr fs:[00000030h] 8_2_0121E420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121C427 mov eax, dword ptr fs:[00000030h] 8_2_0121C427
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h] 8_2_012A6420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h] 8_2_012A6420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h] 8_2_012A6420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h] 8_2_012A6420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h] 8_2_012A6420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h] 8_2_012A6420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h] 8_2_012A6420
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A430 mov eax, dword ptr fs:[00000030h] 8_2_0125A430
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01258402 mov eax, dword ptr fs:[00000030h] 8_2_01258402
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01258402 mov eax, dword ptr fs:[00000030h] 8_2_01258402
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01258402 mov eax, dword ptr fs:[00000030h] 8_2_01258402
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AC460 mov ecx, dword ptr fs:[00000030h] 8_2_012AC460
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124A470 mov eax, dword ptr fs:[00000030h] 8_2_0124A470
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124A470 mov eax, dword ptr fs:[00000030h] 8_2_0124A470
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124A470 mov eax, dword ptr fs:[00000030h] 8_2_0124A470
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h] 8_2_0125E443
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h] 8_2_0125E443
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h] 8_2_0125E443
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h] 8_2_0125E443
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h] 8_2_0125E443
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h] 8_2_0125E443
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h] 8_2_0125E443
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h] 8_2_0125E443
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DA456 mov eax, dword ptr fs:[00000030h] 8_2_012DA456
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121645D mov eax, dword ptr fs:[00000030h] 8_2_0121645D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124245A mov eax, dword ptr fs:[00000030h] 8_2_0124245A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012264AB mov eax, dword ptr fs:[00000030h] 8_2_012264AB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012544B0 mov ecx, dword ptr fs:[00000030h] 8_2_012544B0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AA4B0 mov eax, dword ptr fs:[00000030h] 8_2_012AA4B0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012DA49A mov eax, dword ptr fs:[00000030h] 8_2_012DA49A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012204E5 mov ecx, dword ptr fs:[00000030h] 8_2_012204E5
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125C720 mov eax, dword ptr fs:[00000030h] 8_2_0125C720
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125C720 mov eax, dword ptr fs:[00000030h] 8_2_0125C720
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125273C mov eax, dword ptr fs:[00000030h] 8_2_0125273C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125273C mov ecx, dword ptr fs:[00000030h] 8_2_0125273C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125273C mov eax, dword ptr fs:[00000030h] 8_2_0125273C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129C730 mov eax, dword ptr fs:[00000030h] 8_2_0129C730
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125C700 mov eax, dword ptr fs:[00000030h] 8_2_0125C700
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01220710 mov eax, dword ptr fs:[00000030h] 8_2_01220710
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01250710 mov eax, dword ptr fs:[00000030h] 8_2_01250710
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01228770 mov eax, dword ptr fs:[00000030h] 8_2_01228770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230770 mov eax, dword ptr fs:[00000030h] 8_2_01230770
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125674D mov esi, dword ptr fs:[00000030h] 8_2_0125674D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125674D mov eax, dword ptr fs:[00000030h] 8_2_0125674D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125674D mov eax, dword ptr fs:[00000030h] 8_2_0125674D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01220750 mov eax, dword ptr fs:[00000030h] 8_2_01220750
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262750 mov eax, dword ptr fs:[00000030h] 8_2_01262750
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262750 mov eax, dword ptr fs:[00000030h] 8_2_01262750
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AE75D mov eax, dword ptr fs:[00000030h] 8_2_012AE75D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A4755 mov eax, dword ptr fs:[00000030h] 8_2_012A4755
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012207AF mov eax, dword ptr fs:[00000030h] 8_2_012207AF
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D47A0 mov eax, dword ptr fs:[00000030h] 8_2_012D47A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C678E mov eax, dword ptr fs:[00000030h] 8_2_012C678E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012427ED mov eax, dword ptr fs:[00000030h] 8_2_012427ED
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012427ED mov eax, dword ptr fs:[00000030h] 8_2_012427ED
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012427ED mov eax, dword ptr fs:[00000030h] 8_2_012427ED
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AE7E1 mov eax, dword ptr fs:[00000030h] 8_2_012AE7E1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012247FB mov eax, dword ptr fs:[00000030h] 8_2_012247FB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012247FB mov eax, dword ptr fs:[00000030h] 8_2_012247FB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122C7C0 mov eax, dword ptr fs:[00000030h] 8_2_0122C7C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A07C3 mov eax, dword ptr fs:[00000030h] 8_2_012A07C3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123E627 mov eax, dword ptr fs:[00000030h] 8_2_0123E627
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01256620 mov eax, dword ptr fs:[00000030h] 8_2_01256620
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01258620 mov eax, dword ptr fs:[00000030h] 8_2_01258620
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122262C mov eax, dword ptr fs:[00000030h] 8_2_0122262C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E609 mov eax, dword ptr fs:[00000030h] 8_2_0129E609
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123260B mov eax, dword ptr fs:[00000030h] 8_2_0123260B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123260B mov eax, dword ptr fs:[00000030h] 8_2_0123260B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123260B mov eax, dword ptr fs:[00000030h] 8_2_0123260B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123260B mov eax, dword ptr fs:[00000030h] 8_2_0123260B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123260B mov eax, dword ptr fs:[00000030h] 8_2_0123260B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123260B mov eax, dword ptr fs:[00000030h] 8_2_0123260B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123260B mov eax, dword ptr fs:[00000030h] 8_2_0123260B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01262619 mov eax, dword ptr fs:[00000030h] 8_2_01262619
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E866E mov eax, dword ptr fs:[00000030h] 8_2_012E866E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E866E mov eax, dword ptr fs:[00000030h] 8_2_012E866E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A660 mov eax, dword ptr fs:[00000030h] 8_2_0125A660
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A660 mov eax, dword ptr fs:[00000030h] 8_2_0125A660
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01252674 mov eax, dword ptr fs:[00000030h] 8_2_01252674
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0123C640 mov eax, dword ptr fs:[00000030h] 8_2_0123C640
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125C6A6 mov eax, dword ptr fs:[00000030h] 8_2_0125C6A6
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012566B0 mov eax, dword ptr fs:[00000030h] 8_2_012566B0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01224690 mov eax, dword ptr fs:[00000030h] 8_2_01224690
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01224690 mov eax, dword ptr fs:[00000030h] 8_2_01224690
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0129E6F2
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0129E6F2
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0129E6F2
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0129E6F2
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A06F1 mov eax, dword ptr fs:[00000030h] 8_2_012A06F1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A06F1 mov eax, dword ptr fs:[00000030h] 8_2_012A06F1
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A6C7 mov ebx, dword ptr fs:[00000030h] 8_2_0125A6C7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A6C7 mov eax, dword ptr fs:[00000030h] 8_2_0125A6C7
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A892A mov eax, dword ptr fs:[00000030h] 8_2_012A892A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B892B mov eax, dword ptr fs:[00000030h] 8_2_012B892B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E908 mov eax, dword ptr fs:[00000030h] 8_2_0129E908
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129E908 mov eax, dword ptr fs:[00000030h] 8_2_0129E908
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AC912 mov eax, dword ptr fs:[00000030h] 8_2_012AC912
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01218918 mov eax, dword ptr fs:[00000030h] 8_2_01218918
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01218918 mov eax, dword ptr fs:[00000030h] 8_2_01218918
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01246962 mov eax, dword ptr fs:[00000030h] 8_2_01246962
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01246962 mov eax, dword ptr fs:[00000030h] 8_2_01246962
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01246962 mov eax, dword ptr fs:[00000030h] 8_2_01246962
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0126096E mov eax, dword ptr fs:[00000030h] 8_2_0126096E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0126096E mov edx, dword ptr fs:[00000030h] 8_2_0126096E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0126096E mov eax, dword ptr fs:[00000030h] 8_2_0126096E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C4978 mov eax, dword ptr fs:[00000030h] 8_2_012C4978
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C4978 mov eax, dword ptr fs:[00000030h] 8_2_012C4978
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AC97C mov eax, dword ptr fs:[00000030h] 8_2_012AC97C
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A0946 mov eax, dword ptr fs:[00000030h] 8_2_012A0946
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4940 mov eax, dword ptr fs:[00000030h] 8_2_012F4940
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h] 8_2_012329A0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012209AD mov eax, dword ptr fs:[00000030h] 8_2_012209AD
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012209AD mov eax, dword ptr fs:[00000030h] 8_2_012209AD
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A89B3 mov esi, dword ptr fs:[00000030h] 8_2_012A89B3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A89B3 mov eax, dword ptr fs:[00000030h] 8_2_012A89B3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012A89B3 mov eax, dword ptr fs:[00000030h] 8_2_012A89B3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AE9E0 mov eax, dword ptr fs:[00000030h] 8_2_012AE9E0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012529F9 mov eax, dword ptr fs:[00000030h] 8_2_012529F9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012529F9 mov eax, dword ptr fs:[00000030h] 8_2_012529F9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B69C0 mov eax, dword ptr fs:[00000030h] 8_2_012B69C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0122A9D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0122A9D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0122A9D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0122A9D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0122A9D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0122A9D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012549D0 mov eax, dword ptr fs:[00000030h] 8_2_012549D0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EA9D3 mov eax, dword ptr fs:[00000030h] 8_2_012EA9D3
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01242835 mov eax, dword ptr fs:[00000030h] 8_2_01242835
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01242835 mov eax, dword ptr fs:[00000030h] 8_2_01242835
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01242835 mov eax, dword ptr fs:[00000030h] 8_2_01242835
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01242835 mov ecx, dword ptr fs:[00000030h] 8_2_01242835
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01242835 mov eax, dword ptr fs:[00000030h] 8_2_01242835
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01242835 mov eax, dword ptr fs:[00000030h] 8_2_01242835
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125A830 mov eax, dword ptr fs:[00000030h] 8_2_0125A830
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C483A mov eax, dword ptr fs:[00000030h] 8_2_012C483A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C483A mov eax, dword ptr fs:[00000030h] 8_2_012C483A
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AC810 mov eax, dword ptr fs:[00000030h] 8_2_012AC810
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AE872 mov eax, dword ptr fs:[00000030h] 8_2_012AE872
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AE872 mov eax, dword ptr fs:[00000030h] 8_2_012AE872
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B6870 mov eax, dword ptr fs:[00000030h] 8_2_012B6870
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B6870 mov eax, dword ptr fs:[00000030h] 8_2_012B6870
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01232840 mov ecx, dword ptr fs:[00000030h] 8_2_01232840
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01250854 mov eax, dword ptr fs:[00000030h] 8_2_01250854
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01224859 mov eax, dword ptr fs:[00000030h] 8_2_01224859
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01224859 mov eax, dword ptr fs:[00000030h] 8_2_01224859
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01220887 mov eax, dword ptr fs:[00000030h] 8_2_01220887
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012AC89D mov eax, dword ptr fs:[00000030h] 8_2_012AC89D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EA8E4 mov eax, dword ptr fs:[00000030h] 8_2_012EA8E4
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125C8F9 mov eax, dword ptr fs:[00000030h] 8_2_0125C8F9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125C8F9 mov eax, dword ptr fs:[00000030h] 8_2_0125C8F9
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124E8C0 mov eax, dword ptr fs:[00000030h] 8_2_0124E8C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F08C0 mov eax, dword ptr fs:[00000030h] 8_2_012F08C0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124EB20 mov eax, dword ptr fs:[00000030h] 8_2_0124EB20
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124EB20 mov eax, dword ptr fs:[00000030h] 8_2_0124EB20
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E8B28 mov eax, dword ptr fs:[00000030h] 8_2_012E8B28
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012E8B28 mov eax, dword ptr fs:[00000030h] 8_2_012E8B28
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F4B00 mov eax, dword ptr fs:[00000030h] 8_2_012F4B00
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h] 8_2_0129EB1D
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0121CB7E mov eax, dword ptr fs:[00000030h] 8_2_0121CB7E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D4B4B mov eax, dword ptr fs:[00000030h] 8_2_012D4B4B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D4B4B mov eax, dword ptr fs:[00000030h] 8_2_012D4B4B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B6B40 mov eax, dword ptr fs:[00000030h] 8_2_012B6B40
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012B6B40 mov eax, dword ptr fs:[00000030h] 8_2_012B6B40
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012EAB40 mov eax, dword ptr fs:[00000030h] 8_2_012EAB40
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012C8B42 mov eax, dword ptr fs:[00000030h] 8_2_012C8B42
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01218B50 mov eax, dword ptr fs:[00000030h] 8_2_01218B50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F2B57 mov eax, dword ptr fs:[00000030h] 8_2_012F2B57
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F2B57 mov eax, dword ptr fs:[00000030h] 8_2_012F2B57
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F2B57 mov eax, dword ptr fs:[00000030h] 8_2_012F2B57
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012F2B57 mov eax, dword ptr fs:[00000030h] 8_2_012F2B57
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CEB50 mov eax, dword ptr fs:[00000030h] 8_2_012CEB50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230BBE mov eax, dword ptr fs:[00000030h] 8_2_01230BBE
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230BBE mov eax, dword ptr fs:[00000030h] 8_2_01230BBE
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D4BB0 mov eax, dword ptr fs:[00000030h] 8_2_012D4BB0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012D4BB0 mov eax, dword ptr fs:[00000030h] 8_2_012D4BB0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01228BF0 mov eax, dword ptr fs:[00000030h] 8_2_01228BF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01228BF0 mov eax, dword ptr fs:[00000030h] 8_2_01228BF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01228BF0 mov eax, dword ptr fs:[00000030h] 8_2_01228BF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124EBFC mov eax, dword ptr fs:[00000030h] 8_2_0124EBFC
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012ACBF0 mov eax, dword ptr fs:[00000030h] 8_2_012ACBF0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01240BCB mov eax, dword ptr fs:[00000030h] 8_2_01240BCB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01240BCB mov eax, dword ptr fs:[00000030h] 8_2_01240BCB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01240BCB mov eax, dword ptr fs:[00000030h] 8_2_01240BCB
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01220BCD mov eax, dword ptr fs:[00000030h] 8_2_01220BCD
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01220BCD mov eax, dword ptr fs:[00000030h] 8_2_01220BCD
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01220BCD mov eax, dword ptr fs:[00000030h] 8_2_01220BCD
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CEBD0 mov eax, dword ptr fs:[00000030h] 8_2_012CEBD0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125CA24 mov eax, dword ptr fs:[00000030h] 8_2_0125CA24
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0124EA2E mov eax, dword ptr fs:[00000030h] 8_2_0124EA2E
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01244A35 mov eax, dword ptr fs:[00000030h] 8_2_01244A35
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01244A35 mov eax, dword ptr fs:[00000030h] 8_2_01244A35
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125CA38 mov eax, dword ptr fs:[00000030h] 8_2_0125CA38
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012ACA11 mov eax, dword ptr fs:[00000030h] 8_2_012ACA11
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125CA6F mov eax, dword ptr fs:[00000030h] 8_2_0125CA6F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125CA6F mov eax, dword ptr fs:[00000030h] 8_2_0125CA6F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0125CA6F mov eax, dword ptr fs:[00000030h] 8_2_0125CA6F
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_012CEA60 mov eax, dword ptr fs:[00000030h] 8_2_012CEA60
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129CA72 mov eax, dword ptr fs:[00000030h] 8_2_0129CA72
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0129CA72 mov eax, dword ptr fs:[00000030h] 8_2_0129CA72
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h] 8_2_01226A50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h] 8_2_01226A50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h] 8_2_01226A50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h] 8_2_01226A50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h] 8_2_01226A50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h] 8_2_01226A50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h] 8_2_01226A50
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230A5B mov eax, dword ptr fs:[00000030h] 8_2_01230A5B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01230A5B mov eax, dword ptr fs:[00000030h] 8_2_01230A5B
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01228AA0 mov eax, dword ptr fs:[00000030h] 8_2_01228AA0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01228AA0 mov eax, dword ptr fs:[00000030h] 8_2_01228AA0
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_01276AA4 mov eax, dword ptr fs:[00000030h] 8_2_01276AA4
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h] 8_2_0122EA80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h] 8_2_0122EA80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h] 8_2_0122EA80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h] 8_2_0122EA80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h] 8_2_0122EA80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h] 8_2_0122EA80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h] 8_2_0122EA80
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Code function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h] 8_2_0122EA80
Enables debug privileges
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Memory written: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp" Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Process created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Queries volume information: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519455 Sample: PURCHASE ORDER-6350.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 9 other signatures 2->50 7 PURCHASE ORDER-6350.exe 7 2->7         started        11 fPtPRnPDTzobXQ.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\fPtPRnPDTzobXQ.exe, PE32 7->36 dropped 38 C:\...\fPtPRnPDTzobXQ.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD091.tmp, XML 7->40 dropped 42 C:\Users\user\...\PURCHASE ORDER-6350.exe.log, ASCII 7->42 dropped 52 Adds a directory exclusion to Windows Defender 7->52 54 Injects a PE file into a foreign processes 7->54 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 PURCHASE ORDER-6350.exe 7->20         started        56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 22 schtasks.exe 1 11->22         started        24 fPtPRnPDTzobXQ.exe 11->24         started        signatures5 process6 signatures7 60 Loading BitLocker PowerShell Module 13->60 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 conhost.exe 22->34         started        process8
No contacted IP infos