Windows Analysis Report
PO No. 0146850827805.exe

Overview

General Information

Sample name: PO No. 0146850827805.exe
Analysis ID: 1545930
MD5: 5ad592fcf46ee793fbf36e4c2ff67542
SHA1: 8c14971e5999d6ab0bd37f3b22804180a6ecb5e6
SHA256: b8d4c86463b945f866e0396ecf65af0e67e55224eecce97b033e25e816eca01e
Tags: exeuser-lowmal3
Infos:

Detection

FormBook
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PO No. 0146850827805.exe ReversingLabs: Detection: 42%
Yara detected FormBook
Source: Yara match File source: 5.2.PO No. 0146850827805.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PO No. 0146850827805.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2310694962.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2310984519.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: PO No. 0146850827805.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO No. 0146850827805.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO No. 0146850827805.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: XUea.pdbSHA256 source: PO No. 0146850827805.exe
Source: Binary string: wntdll.pdbUGP source: PO No. 0146850827805.exe, 00000005.00000002.2311416978.0000000001880000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO No. 0146850827805.exe, PO No. 0146850827805.exe, 00000005.00000002.2311416978.0000000001880000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: XUea.pdb source: PO No. 0146850827805.exe
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: tse1.mm.bing.net
Source: PO No. 0146850827805.exe String found in binary or memory: http://tempuri.org/DataSet1.xsd

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.PO No. 0146850827805.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PO No. 0146850827805.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2310694962.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2310984519.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0042C433 NtClose, 5_2_0042C433
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0040A9E3 NtAllocateVirtualMemory, 5_2_0040A9E3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2B60 NtClose,LdrInitializeThunk, 5_2_018F2B60
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_018F2DF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_018F2C70
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F35C0 NtCreateMutant,LdrInitializeThunk, 5_2_018F35C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F4340 NtSetContextThread, 5_2_018F4340
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F4650 NtSuspendThread, 5_2_018F4650
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2B80 NtQueryInformationFile, 5_2_018F2B80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2BA0 NtEnumerateValueKey, 5_2_018F2BA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2BE0 NtQueryValueKey, 5_2_018F2BE0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2BF0 NtAllocateVirtualMemory, 5_2_018F2BF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2AB0 NtWaitForSingleObject, 5_2_018F2AB0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2AD0 NtReadFile, 5_2_018F2AD0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2AF0 NtWriteFile, 5_2_018F2AF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2DB0 NtEnumerateKey, 5_2_018F2DB0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2DD0 NtDelayExecution, 5_2_018F2DD0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2D00 NtSetInformationFile, 5_2_018F2D00
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2D10 NtMapViewOfSection, 5_2_018F2D10
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2D30 NtUnmapViewOfSection, 5_2_018F2D30
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2CA0 NtQueryInformationToken, 5_2_018F2CA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2CC0 NtQueryVirtualMemory, 5_2_018F2CC0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2CF0 NtOpenProcess, 5_2_018F2CF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2C00 NtQueryInformationProcess, 5_2_018F2C00
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2C60 NtCreateKey, 5_2_018F2C60
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2F90 NtProtectVirtualMemory, 5_2_018F2F90
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2FA0 NtQuerySection, 5_2_018F2FA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2FB0 NtResumeThread, 5_2_018F2FB0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2FE0 NtCreateFile, 5_2_018F2FE0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2F30 NtCreateSection, 5_2_018F2F30
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2F60 NtCreateProcessEx, 5_2_018F2F60
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2E80 NtReadVirtualMemory, 5_2_018F2E80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2EA0 NtAdjustPrivilegesToken, 5_2_018F2EA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2EE0 NtQueueApcThread, 5_2_018F2EE0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2E30 NtWriteVirtualMemory, 5_2_018F2E30
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F3090 NtSetValueKey, 5_2_018F3090
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F3010 NtOpenDirectoryObject, 5_2_018F3010
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F39B0 NtGetContextThread, 5_2_018F39B0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F3D10 NtOpenProcessToken, 5_2_018F3D10
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F3D70 NtOpenThread, 5_2_018F3D70
Detected potential crypto function
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_02994204 0_2_02994204
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_0299E134 0_2_0299E134
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_02997018 0_2_02997018
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_07280E28 0_2_07280E28
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_0728A640 0_2_0728A640
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_0728C6B0 0_2_0728C6B0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_0728C278 0_2_0728C278
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_072830D0 0_2_072830D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_07283F77 0_2_07283F77
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_07283F88 0_2_07283F88
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_0728CF88 0_2_0728CF88
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_07280E21 0_2_07280E21
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_07283CEA 0_2_07283CEA
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_07283CF0 0_2_07283CF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_0728AA78 0_2_0728AA78
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00401110 5_2_00401110
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0040E13B 5_2_0040E13B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0042EAD3 5_2_0042EAD3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00402370 5_2_00402370
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0040FCC3 5_2_0040FCC3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00416613 5_2_00416613
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0040FEE3 5_2_0040FEE3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0040DF63 5_2_0040DF63
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00402710 5_2_00402710
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00402FD0 5_2_00402FD0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019801AA 5_2_019801AA
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019781CC 5_2_019781CC
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0100 5_2_018B0100
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195A118 5_2_0195A118
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01948158 5_2_01948158
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE3F0 5_2_018CE3F0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019803E6 5_2_019803E6
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197A352 5_2_0197A352
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019402C0 5_2_019402C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01980591 5_2_01980591
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0535 5_2_018C0535
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0196E4F6 5_2_0196E4F6
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01964420 5_2_01964420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01972446 5_2_01972446
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BC7C0 5_2_018BC7C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E4750 5_2_018E4750
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DC6E0 5_2_018DC6E0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0198A9A6 5_2_0198A9A6
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D6962 5_2_018D6962
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A68B8 5_2_018A68B8
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE8F0 5_2_018EE8F0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CA840 5_2_018CA840
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C2840 5_2_018C2840
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01976BD7 5_2_01976BD7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197AB40 5_2_0197AB40
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D8DBF 5_2_018D8DBF
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BADE0 5_2_018BADE0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195CD1F 5_2_0195CD1F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CAD00 5_2_018CAD00
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960CB5 5_2_01960CB5
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0CF2 5_2_018B0CF2
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0C00 5_2_018C0C00
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193EFA0 5_2_0193EFA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B2FC8 5_2_018B2FC8
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CCFE0 5_2_018CCFE0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01962F30 5_2_01962F30
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01902F28 5_2_01902F28
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E0F30 5_2_018E0F30
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01934F40 5_2_01934F40
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197CE93 5_2_0197CE93
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D2E90 5_2_018D2E90
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197EEDB 5_2_0197EEDB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197EE26 5_2_0197EE26
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0E59 5_2_018C0E59
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CB1B0 5_2_018CB1B0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F516C 5_2_018F516C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0198B16B 5_2_0198B16B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AF172 5_2_018AF172
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C70C0 5_2_018C70C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0196F0CC 5_2_0196F0CC
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197F0E0 5_2_0197F0E0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019770E9 5_2_019770E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0190739A 5_2_0190739A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197132D 5_2_0197132D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AD34C 5_2_018AD34C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C52A0 5_2_018C52A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DB2C0 5_2_018DB2C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019612ED 5_2_019612ED
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195D5B0 5_2_0195D5B0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01977571 5_2_01977571
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197F43F 5_2_0197F43F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B1460 5_2_018B1460
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197F7B0 5_2_0197F7B0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019716CC 5_2_019716CC
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01955910 5_2_01955910
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C9950 5_2_018C9950
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DB950 5_2_018DB950
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C38E0 5_2_018C38E0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192D800 5_2_0192D800
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DFB80 5_2_018DFB80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01935BF0 5_2_01935BF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018FDBF9 5_2_018FDBF9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197FB76 5_2_0197FB76
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01905AA0 5_2_01905AA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01961AA3 5_2_01961AA3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195DAAC 5_2_0195DAAC
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0196DAC6 5_2_0196DAC6
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01977A46 5_2_01977A46
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197FA49 5_2_0197FA49
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01933A6C 5_2_01933A6C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DFDC0 5_2_018DFDC0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C3D40 5_2_018C3D40
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01971D5A 5_2_01971D5A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01977D73 5_2_01977D73
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197FCF2 5_2_0197FCF2
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01939C32 5_2_01939C32
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C1F92 5_2_018C1F92
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197FFB1 5_2_0197FFB1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197FF09 5_2_0197FF09
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C9EB0 5_2_018C9EB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: String function: 0193F290 appears 105 times
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: String function: 018F5130 appears 58 times
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: String function: 018AB970 appears 278 times
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: String function: 01907E54 appears 102 times
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: String function: 0192EA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: PO No. 0146850827805.exe, 00000000.00000000.2113101891.000000000083C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXUea.exe: vs PO No. 0146850827805.exe
Source: PO No. 0146850827805.exe, 00000000.00000002.2149884264.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO No. 0146850827805.exe
Source: PO No. 0146850827805.exe, 00000000.00000002.2155440617.000000000B570000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO No. 0146850827805.exe
Source: PO No. 0146850827805.exe, 00000000.00000002.2151404295.000000000436A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO No. 0146850827805.exe
Source: PO No. 0146850827805.exe, 00000005.00000002.2311416978.00000000019AD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO No. 0146850827805.exe
Source: PO No. 0146850827805.exe Binary or memory string: OriginalFilenameXUea.exe: vs PO No. 0146850827805.exe
Uses 32bit PE files
Source: PO No. 0146850827805.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO No. 0146850827805.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, Ly2n2FR1qPVAHNASeT.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, Ly2n2FR1qPVAHNASeT.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, WHEeAVIAhQ2VVqtDax.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, Ly2n2FR1qPVAHNASeT.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal80.troj.evad.winEXE@3/1@1/0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO No. 0146850827805.exe.log Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Mutant created: NULL
Source: PO No. 0146850827805.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO No. 0146850827805.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO No. 0146850827805.exe ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\PO No. 0146850827805.exe "C:\Users\user\Desktop\PO No. 0146850827805.exe"
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process created: C:\Users\user\Desktop\PO No. 0146850827805.exe "C:\Users\user\Desktop\PO No. 0146850827805.exe"
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process created: C:\Users\user\Desktop\PO No. 0146850827805.exe "C:\Users\user\Desktop\PO No. 0146850827805.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO No. 0146850827805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO No. 0146850827805.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PO No. 0146850827805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: XUea.pdbSHA256 source: PO No. 0146850827805.exe
Source: Binary string: wntdll.pdbUGP source: PO No. 0146850827805.exe, 00000005.00000002.2311416978.0000000001880000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO No. 0146850827805.exe, PO No. 0146850827805.exe, 00000005.00000002.2311416978.0000000001880000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: XUea.pdb source: PO No. 0146850827805.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, WHEeAVIAhQ2VVqtDax.cs .Net Code: myD7QjxHmp System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, WHEeAVIAhQ2VVqtDax.cs .Net Code: myD7QjxHmp System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO No. 0146850827805.exe.7250000.2.raw.unpack, XlF5VlCIHRSQX8M5eh.cs .Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, WHEeAVIAhQ2VVqtDax.cs .Net Code: myD7QjxHmp System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_0728A065 pushad ; retf 0_2_0728A066
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 0_2_07285EA2 pushfd ; ret 0_2_07285EB1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00406155 push ss; retf 5_2_00406160
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00403270 push eax; ret 5_2_00403272
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0040227F pushad ; retf 5_2_00402280
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0040BB30 push eax; ret 5_2_0040BB31
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0041F3C9 push ss; retf 5_2_0041F3CB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00404DCD push ebx; iretd 5_2_00404DD8
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_004066BD push edx; iretd 5_2_004066BF
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00413F7E pushad ; retf 5_2_00414025
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00413FC5 pushad ; retf 5_2_00414025
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B09AD push ecx; mov dword ptr [esp], ecx 5_2_018B09B6
Source: PO No. 0146850827805.exe Static PE information: section name: .text entropy: 7.6971538943693485
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, RB1vHqz96hDBHdnj3E.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uUFPNbuba9', 'xOLP6o72xI', 'qZYPhjVgj6', 'SPeP41bKYs', 'UsZPYddF8U', 'WoZPPZwIdN', 'NxaPp1loZx'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, cFTWdEqkulx2PkBiFIP.cs High entropy of concatenated method names: 'mECPsMnwHy', 'n2UPrA9V93', 'I9bPQ5UaPc', 'VvqPlbvHFl', 'plUPu1Il7W', 'PMaPJYdMGk', 'JK1P9dSbky', 'pPwPMUG84l', 'OXVPZBDMtN', 'TMcPy0JR2q'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, zb6SZaye83i9fbm1kr.cs High entropy of concatenated method names: 'yMsqlB7XmF', 'pObqJRHPVX', 'QuiqMoxAXD', 'eCYqZAEuYG', 'ohGq6N8VVX', 'gtxqhMS1XH', 'WjJq41JM69', 'qXyqYarUhL', 'gPrqPwMNDc', 'Wi4qpA5qmE'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, Ly2n2FR1qPVAHNASeT.cs High entropy of concatenated method names: 'NXBOoO523i', 'cK4OgMGtkY', 'W2cOGARxxa', 'HUnO2s16Ml', 'tG2OiEPsvl', 'jvPOSTBCGk', 'PH0Oty2Oq0', 'uj7ORUNXLt', 'Pv2OCp4hx6', 'NoqO0He2ll'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, WHEeAVIAhQ2VVqtDax.cs High entropy of concatenated method names: 'g6vwbB90jn', 'RiMwBhBj2Y', 'H8pwO9uby7', 'eb6wq2K4mK', 'esxwUW21NT', 'vDcwEAnPUa', 'aOcwm7WOJp', 'qKUwXgKOf7', 'L8pwv1CInF', 'wuIwDw1wDC'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, J16PouoGu9k3usmwgB.cs High entropy of concatenated method names: 'x9dYBxBDHc', 'VuOYOhYc5V', 'FAOYqmdaIo', 'S4MYUZQbOA', 'iWvYEu0IuC', 'kQxYmXtKN8', 'PqYYXlNNlV', 'iRKYvf9uaL', 'klMYDIY0WN', 'asMYnS6RDY'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, Y8usZfvnSJVhgExt2Z.cs High entropy of concatenated method names: 'BOAUu29ol3', 'zjhU9CWC2k', 'GyFqAx2QbH', 'd9kqk7SJF0', 'A9WqfINa5g', 'rBxqx7m1Z3', 'VqtqVVIRQY', 'PLYq3yBfob', 'ISbq89oEw0', 'Hv5qTrvmKv'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, AEwrW5nDVN63CBRCaS.cs High entropy of concatenated method names: 'ijZEbuBS0Z', 'CivEOs49cL', 'vi3EUP39OU', 'eypEmyhJgc', 'xlQEXAX6UA', 'OcDUiYSvcq', 'T3sUSV8Ypy', 'GqYUtaAESj', 'UjPURii7Rw', 'gaFUC4pu08'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, GMDAjppPN1UPYqfMoi.cs High entropy of concatenated method names: 'h69msvMnwc', 'IQsmrubmbP', 'BUkmQTw4he', 'RNWmlZdCJ3', 'aHymuAAB20', 'RSmmJw8MOI', 'Ream9ZAViE', 'UfPmMvPrQq', 'j9amZX0IRM', 'Q12myCadgt'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, tkoYBGSdJeoOIdmjLA.cs High entropy of concatenated method names: 'sZb6T2TXEu', 'sq96a4r8wP', 'oZ56oP6ckd', 'bIa6g5cGph', 'bRM61WxA5n', 'KO26AhWeZc', 'Teu6k1u56k', 'fpi6fx4QLi', 'a2a6xj1dTC', 'BDg6VmMZPX'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, ocLljcruWS3sK0t2rF.cs High entropy of concatenated method names: 'ToString', 'VRDhIYPpqi', 'Ncmh18oxR8', 'f0ZhA98yHa', 'CswhkKC31s', 'O45hfyZFYY', 'jWJhx0tSVD', 'mcrhVA7nhL', 'WMUh3YxkTf', 'AmDh8d2qB1'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, PsJu0yx9sCp8HrLcYr.cs High entropy of concatenated method names: 'M2kPKY3pii', 'Qx7PwbQfLe', 'xxbP73oEQT', 'MlBPBk5Wiv', 'Ik8POq0YuR', 'zqBPUIk4Gq', 'aZkPE3HYiE', 'vidYtOJ9Ea', 'rJDYRclWjc', 'NuDYCAeJOY'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, lT8REygkyjK3OLql1J.cs High entropy of concatenated method names: 'Pt7mBaeyDq', 'csbmqLKNND', 'jJJmEtPTgX', 'tZgE0DU4LY', 'k2UEzOibAV', 'LoEmLseMGq', 'zgwmK4qDl6', 'S9ym51X97j', 'IhcmwfvqLU', 'xAIm72wTFu'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, z0ec5vfTIxmhrCL2R3.cs High entropy of concatenated method names: 'elmNMtFhQZ', 'R77NZSp4et', 'me6NHVxY0u', 'PAEN1tNuwx', 'vQUNk2Y9oP', 'ntBNf7093M', 'oPINVyOesy', 'W2LN3LIhPX', 'IB3NToknjr', 'O7FNIN2CSk'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, j0uJiSWUUk6Xq8FhWL.cs High entropy of concatenated method names: 'PRUYHT5M2B', 'unpY178P9A', 'iAbYAGnEG1', 'CKSYkY3xuf', 'w7rYoj2j3q', 'kTFYf2XfLQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, Cas5vlUCGsJqWwcGaV.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w1O5CG9nV1', 'Htd50tlNG9', 'tpt5zNAbAi', 'oFhwLGx8Lr', 'tsOwKIOoW3', 'Jiaw5GdpLl', 'UZ1wwAF43n', 'dlPUH7gZsDs56x6A1Kb'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, pRbWak6bSSkWNkKJjV.cs High entropy of concatenated method names: 'HpHQPBqGM', 'WSPln5vL5', 'rE7JTUWta', 'lV09wylf7', 'K3yZjLqtd', 'y40ygb6gl', 'FD097lror8wcpr7ZjD', 'yapLlUeR8VbLpMpqQk', 'Q95YVJvDI', 'nXepXntTZ'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, UQrExRZoqktKXyNIAe.cs High entropy of concatenated method names: 'NIZKmbAG5q', 'X88KXHEonh', 'swLKDfaqwk', 'VAwKnQj8ZN', 'dZqK6pJ3E7', 'IP0KhQuqu8', 'dy0vYGQBRNqiLFRGJO', 'T7XwXX96kTb1mOhbXi', 'n1JKKOfVsD', 'wG4KwKClGO'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, On7kxQHpLldMPh9A3I.cs High entropy of concatenated method names: 'Nmo4RZ7w2v', 'hhE40ePaiT', 'dl5YL59BhT', 'C0eYKtr0EU', 'db84ICB1SB', 'Uuy4a5LkjS', 'Pql4WWVTjo', 'qE74oyhEei', 'hcc4gCnCoK', 'mbL4GLBYNN'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, VvaRBJjjrIGGmwMvqy.cs High entropy of concatenated method names: 'Dispose', 'Xm5KCmHn6T', 'mJn51jF45B', 'XQLeesLdwc', 'AqSK0vIgcm', 'YFQKzjYfAy', 'ProcessDialogKey', 'vam5LLSJM2', 'gWQ5KW3SbU', 'uWN556ptXk'
Source: 0.2.PO No. 0146850827805.exe.4628490.1.raw.unpack, gjAuOPqB1oROb0fHjoo.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J24poQoPTh', 'BYjpgkRxX3', 'HgipGj68uX', 'ap8p2yml9g', 'aCOpi8Fl0M', 'xB8pS2M2Ht', 'Aokptop3Eq'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, RB1vHqz96hDBHdnj3E.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uUFPNbuba9', 'xOLP6o72xI', 'qZYPhjVgj6', 'SPeP41bKYs', 'UsZPYddF8U', 'WoZPPZwIdN', 'NxaPp1loZx'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, cFTWdEqkulx2PkBiFIP.cs High entropy of concatenated method names: 'mECPsMnwHy', 'n2UPrA9V93', 'I9bPQ5UaPc', 'VvqPlbvHFl', 'plUPu1Il7W', 'PMaPJYdMGk', 'JK1P9dSbky', 'pPwPMUG84l', 'OXVPZBDMtN', 'TMcPy0JR2q'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, zb6SZaye83i9fbm1kr.cs High entropy of concatenated method names: 'yMsqlB7XmF', 'pObqJRHPVX', 'QuiqMoxAXD', 'eCYqZAEuYG', 'ohGq6N8VVX', 'gtxqhMS1XH', 'WjJq41JM69', 'qXyqYarUhL', 'gPrqPwMNDc', 'Wi4qpA5qmE'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, Ly2n2FR1qPVAHNASeT.cs High entropy of concatenated method names: 'NXBOoO523i', 'cK4OgMGtkY', 'W2cOGARxxa', 'HUnO2s16Ml', 'tG2OiEPsvl', 'jvPOSTBCGk', 'PH0Oty2Oq0', 'uj7ORUNXLt', 'Pv2OCp4hx6', 'NoqO0He2ll'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, WHEeAVIAhQ2VVqtDax.cs High entropy of concatenated method names: 'g6vwbB90jn', 'RiMwBhBj2Y', 'H8pwO9uby7', 'eb6wq2K4mK', 'esxwUW21NT', 'vDcwEAnPUa', 'aOcwm7WOJp', 'qKUwXgKOf7', 'L8pwv1CInF', 'wuIwDw1wDC'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, J16PouoGu9k3usmwgB.cs High entropy of concatenated method names: 'x9dYBxBDHc', 'VuOYOhYc5V', 'FAOYqmdaIo', 'S4MYUZQbOA', 'iWvYEu0IuC', 'kQxYmXtKN8', 'PqYYXlNNlV', 'iRKYvf9uaL', 'klMYDIY0WN', 'asMYnS6RDY'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, Y8usZfvnSJVhgExt2Z.cs High entropy of concatenated method names: 'BOAUu29ol3', 'zjhU9CWC2k', 'GyFqAx2QbH', 'd9kqk7SJF0', 'A9WqfINa5g', 'rBxqx7m1Z3', 'VqtqVVIRQY', 'PLYq3yBfob', 'ISbq89oEw0', 'Hv5qTrvmKv'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, AEwrW5nDVN63CBRCaS.cs High entropy of concatenated method names: 'ijZEbuBS0Z', 'CivEOs49cL', 'vi3EUP39OU', 'eypEmyhJgc', 'xlQEXAX6UA', 'OcDUiYSvcq', 'T3sUSV8Ypy', 'GqYUtaAESj', 'UjPURii7Rw', 'gaFUC4pu08'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, GMDAjppPN1UPYqfMoi.cs High entropy of concatenated method names: 'h69msvMnwc', 'IQsmrubmbP', 'BUkmQTw4he', 'RNWmlZdCJ3', 'aHymuAAB20', 'RSmmJw8MOI', 'Ream9ZAViE', 'UfPmMvPrQq', 'j9amZX0IRM', 'Q12myCadgt'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, tkoYBGSdJeoOIdmjLA.cs High entropy of concatenated method names: 'sZb6T2TXEu', 'sq96a4r8wP', 'oZ56oP6ckd', 'bIa6g5cGph', 'bRM61WxA5n', 'KO26AhWeZc', 'Teu6k1u56k', 'fpi6fx4QLi', 'a2a6xj1dTC', 'BDg6VmMZPX'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, ocLljcruWS3sK0t2rF.cs High entropy of concatenated method names: 'ToString', 'VRDhIYPpqi', 'Ncmh18oxR8', 'f0ZhA98yHa', 'CswhkKC31s', 'O45hfyZFYY', 'jWJhx0tSVD', 'mcrhVA7nhL', 'WMUh3YxkTf', 'AmDh8d2qB1'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, PsJu0yx9sCp8HrLcYr.cs High entropy of concatenated method names: 'M2kPKY3pii', 'Qx7PwbQfLe', 'xxbP73oEQT', 'MlBPBk5Wiv', 'Ik8POq0YuR', 'zqBPUIk4Gq', 'aZkPE3HYiE', 'vidYtOJ9Ea', 'rJDYRclWjc', 'NuDYCAeJOY'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, lT8REygkyjK3OLql1J.cs High entropy of concatenated method names: 'Pt7mBaeyDq', 'csbmqLKNND', 'jJJmEtPTgX', 'tZgE0DU4LY', 'k2UEzOibAV', 'LoEmLseMGq', 'zgwmK4qDl6', 'S9ym51X97j', 'IhcmwfvqLU', 'xAIm72wTFu'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, z0ec5vfTIxmhrCL2R3.cs High entropy of concatenated method names: 'elmNMtFhQZ', 'R77NZSp4et', 'me6NHVxY0u', 'PAEN1tNuwx', 'vQUNk2Y9oP', 'ntBNf7093M', 'oPINVyOesy', 'W2LN3LIhPX', 'IB3NToknjr', 'O7FNIN2CSk'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, j0uJiSWUUk6Xq8FhWL.cs High entropy of concatenated method names: 'PRUYHT5M2B', 'unpY178P9A', 'iAbYAGnEG1', 'CKSYkY3xuf', 'w7rYoj2j3q', 'kTFYf2XfLQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, Cas5vlUCGsJqWwcGaV.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w1O5CG9nV1', 'Htd50tlNG9', 'tpt5zNAbAi', 'oFhwLGx8Lr', 'tsOwKIOoW3', 'Jiaw5GdpLl', 'UZ1wwAF43n', 'dlPUH7gZsDs56x6A1Kb'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, pRbWak6bSSkWNkKJjV.cs High entropy of concatenated method names: 'HpHQPBqGM', 'WSPln5vL5', 'rE7JTUWta', 'lV09wylf7', 'K3yZjLqtd', 'y40ygb6gl', 'FD097lror8wcpr7ZjD', 'yapLlUeR8VbLpMpqQk', 'Q95YVJvDI', 'nXepXntTZ'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, UQrExRZoqktKXyNIAe.cs High entropy of concatenated method names: 'NIZKmbAG5q', 'X88KXHEonh', 'swLKDfaqwk', 'VAwKnQj8ZN', 'dZqK6pJ3E7', 'IP0KhQuqu8', 'dy0vYGQBRNqiLFRGJO', 'T7XwXX96kTb1mOhbXi', 'n1JKKOfVsD', 'wG4KwKClGO'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, On7kxQHpLldMPh9A3I.cs High entropy of concatenated method names: 'Nmo4RZ7w2v', 'hhE40ePaiT', 'dl5YL59BhT', 'C0eYKtr0EU', 'db84ICB1SB', 'Uuy4a5LkjS', 'Pql4WWVTjo', 'qE74oyhEei', 'hcc4gCnCoK', 'mbL4GLBYNN'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, VvaRBJjjrIGGmwMvqy.cs High entropy of concatenated method names: 'Dispose', 'Xm5KCmHn6T', 'mJn51jF45B', 'XQLeesLdwc', 'AqSK0vIgcm', 'YFQKzjYfAy', 'ProcessDialogKey', 'vam5LLSJM2', 'gWQ5KW3SbU', 'uWN556ptXk'
Source: 0.2.PO No. 0146850827805.exe.b570000.3.raw.unpack, gjAuOPqB1oROb0fHjoo.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J24poQoPTh', 'BYjpgkRxX3', 'HgipGj68uX', 'ap8p2yml9g', 'aCOpi8Fl0M', 'xB8pS2M2Ht', 'Aokptop3Eq'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, RB1vHqz96hDBHdnj3E.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uUFPNbuba9', 'xOLP6o72xI', 'qZYPhjVgj6', 'SPeP41bKYs', 'UsZPYddF8U', 'WoZPPZwIdN', 'NxaPp1loZx'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, cFTWdEqkulx2PkBiFIP.cs High entropy of concatenated method names: 'mECPsMnwHy', 'n2UPrA9V93', 'I9bPQ5UaPc', 'VvqPlbvHFl', 'plUPu1Il7W', 'PMaPJYdMGk', 'JK1P9dSbky', 'pPwPMUG84l', 'OXVPZBDMtN', 'TMcPy0JR2q'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, zb6SZaye83i9fbm1kr.cs High entropy of concatenated method names: 'yMsqlB7XmF', 'pObqJRHPVX', 'QuiqMoxAXD', 'eCYqZAEuYG', 'ohGq6N8VVX', 'gtxqhMS1XH', 'WjJq41JM69', 'qXyqYarUhL', 'gPrqPwMNDc', 'Wi4qpA5qmE'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, Ly2n2FR1qPVAHNASeT.cs High entropy of concatenated method names: 'NXBOoO523i', 'cK4OgMGtkY', 'W2cOGARxxa', 'HUnO2s16Ml', 'tG2OiEPsvl', 'jvPOSTBCGk', 'PH0Oty2Oq0', 'uj7ORUNXLt', 'Pv2OCp4hx6', 'NoqO0He2ll'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, WHEeAVIAhQ2VVqtDax.cs High entropy of concatenated method names: 'g6vwbB90jn', 'RiMwBhBj2Y', 'H8pwO9uby7', 'eb6wq2K4mK', 'esxwUW21NT', 'vDcwEAnPUa', 'aOcwm7WOJp', 'qKUwXgKOf7', 'L8pwv1CInF', 'wuIwDw1wDC'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, J16PouoGu9k3usmwgB.cs High entropy of concatenated method names: 'x9dYBxBDHc', 'VuOYOhYc5V', 'FAOYqmdaIo', 'S4MYUZQbOA', 'iWvYEu0IuC', 'kQxYmXtKN8', 'PqYYXlNNlV', 'iRKYvf9uaL', 'klMYDIY0WN', 'asMYnS6RDY'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, Y8usZfvnSJVhgExt2Z.cs High entropy of concatenated method names: 'BOAUu29ol3', 'zjhU9CWC2k', 'GyFqAx2QbH', 'd9kqk7SJF0', 'A9WqfINa5g', 'rBxqx7m1Z3', 'VqtqVVIRQY', 'PLYq3yBfob', 'ISbq89oEw0', 'Hv5qTrvmKv'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, AEwrW5nDVN63CBRCaS.cs High entropy of concatenated method names: 'ijZEbuBS0Z', 'CivEOs49cL', 'vi3EUP39OU', 'eypEmyhJgc', 'xlQEXAX6UA', 'OcDUiYSvcq', 'T3sUSV8Ypy', 'GqYUtaAESj', 'UjPURii7Rw', 'gaFUC4pu08'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, GMDAjppPN1UPYqfMoi.cs High entropy of concatenated method names: 'h69msvMnwc', 'IQsmrubmbP', 'BUkmQTw4he', 'RNWmlZdCJ3', 'aHymuAAB20', 'RSmmJw8MOI', 'Ream9ZAViE', 'UfPmMvPrQq', 'j9amZX0IRM', 'Q12myCadgt'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, tkoYBGSdJeoOIdmjLA.cs High entropy of concatenated method names: 'sZb6T2TXEu', 'sq96a4r8wP', 'oZ56oP6ckd', 'bIa6g5cGph', 'bRM61WxA5n', 'KO26AhWeZc', 'Teu6k1u56k', 'fpi6fx4QLi', 'a2a6xj1dTC', 'BDg6VmMZPX'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, ocLljcruWS3sK0t2rF.cs High entropy of concatenated method names: 'ToString', 'VRDhIYPpqi', 'Ncmh18oxR8', 'f0ZhA98yHa', 'CswhkKC31s', 'O45hfyZFYY', 'jWJhx0tSVD', 'mcrhVA7nhL', 'WMUh3YxkTf', 'AmDh8d2qB1'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, PsJu0yx9sCp8HrLcYr.cs High entropy of concatenated method names: 'M2kPKY3pii', 'Qx7PwbQfLe', 'xxbP73oEQT', 'MlBPBk5Wiv', 'Ik8POq0YuR', 'zqBPUIk4Gq', 'aZkPE3HYiE', 'vidYtOJ9Ea', 'rJDYRclWjc', 'NuDYCAeJOY'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, lT8REygkyjK3OLql1J.cs High entropy of concatenated method names: 'Pt7mBaeyDq', 'csbmqLKNND', 'jJJmEtPTgX', 'tZgE0DU4LY', 'k2UEzOibAV', 'LoEmLseMGq', 'zgwmK4qDl6', 'S9ym51X97j', 'IhcmwfvqLU', 'xAIm72wTFu'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, z0ec5vfTIxmhrCL2R3.cs High entropy of concatenated method names: 'elmNMtFhQZ', 'R77NZSp4et', 'me6NHVxY0u', 'PAEN1tNuwx', 'vQUNk2Y9oP', 'ntBNf7093M', 'oPINVyOesy', 'W2LN3LIhPX', 'IB3NToknjr', 'O7FNIN2CSk'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, j0uJiSWUUk6Xq8FhWL.cs High entropy of concatenated method names: 'PRUYHT5M2B', 'unpY178P9A', 'iAbYAGnEG1', 'CKSYkY3xuf', 'w7rYoj2j3q', 'kTFYf2XfLQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, Cas5vlUCGsJqWwcGaV.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w1O5CG9nV1', 'Htd50tlNG9', 'tpt5zNAbAi', 'oFhwLGx8Lr', 'tsOwKIOoW3', 'Jiaw5GdpLl', 'UZ1wwAF43n', 'dlPUH7gZsDs56x6A1Kb'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, pRbWak6bSSkWNkKJjV.cs High entropy of concatenated method names: 'HpHQPBqGM', 'WSPln5vL5', 'rE7JTUWta', 'lV09wylf7', 'K3yZjLqtd', 'y40ygb6gl', 'FD097lror8wcpr7ZjD', 'yapLlUeR8VbLpMpqQk', 'Q95YVJvDI', 'nXepXntTZ'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, UQrExRZoqktKXyNIAe.cs High entropy of concatenated method names: 'NIZKmbAG5q', 'X88KXHEonh', 'swLKDfaqwk', 'VAwKnQj8ZN', 'dZqK6pJ3E7', 'IP0KhQuqu8', 'dy0vYGQBRNqiLFRGJO', 'T7XwXX96kTb1mOhbXi', 'n1JKKOfVsD', 'wG4KwKClGO'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, On7kxQHpLldMPh9A3I.cs High entropy of concatenated method names: 'Nmo4RZ7w2v', 'hhE40ePaiT', 'dl5YL59BhT', 'C0eYKtr0EU', 'db84ICB1SB', 'Uuy4a5LkjS', 'Pql4WWVTjo', 'qE74oyhEei', 'hcc4gCnCoK', 'mbL4GLBYNN'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, VvaRBJjjrIGGmwMvqy.cs High entropy of concatenated method names: 'Dispose', 'Xm5KCmHn6T', 'mJn51jF45B', 'XQLeesLdwc', 'AqSK0vIgcm', 'YFQKzjYfAy', 'ProcessDialogKey', 'vam5LLSJM2', 'gWQ5KW3SbU', 'uWN556ptXk'
Source: 0.2.PO No. 0146850827805.exe.45a0670.0.raw.unpack, gjAuOPqB1oROb0fHjoo.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J24poQoPTh', 'BYjpgkRxX3', 'HgipGj68uX', 'ap8p2yml9g', 'aCOpi8Fl0M', 'xB8pS2M2Ht', 'Aokptop3Eq'
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO No. 0146850827805.exe PID: 1936, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: 2950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: 2B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: 4B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: 8E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: 9E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: A030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: B030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: B610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: C610000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F096E rdtsc 5_2_018F096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe API coverage: 0.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe TID: 5644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe TID: 7396 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F096E rdtsc 5_2_018F096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_00417563 LdrLoadDll, 5_2_00417563
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F0185 mov eax, dword ptr fs:[00000030h] 5_2_018F0185
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193019F mov eax, dword ptr fs:[00000030h] 5_2_0193019F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193019F mov eax, dword ptr fs:[00000030h] 5_2_0193019F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193019F mov eax, dword ptr fs:[00000030h] 5_2_0193019F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193019F mov eax, dword ptr fs:[00000030h] 5_2_0193019F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01954180 mov eax, dword ptr fs:[00000030h] 5_2_01954180
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01954180 mov eax, dword ptr fs:[00000030h] 5_2_01954180
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AA197 mov eax, dword ptr fs:[00000030h] 5_2_018AA197
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AA197 mov eax, dword ptr fs:[00000030h] 5_2_018AA197
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AA197 mov eax, dword ptr fs:[00000030h] 5_2_018AA197
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0196C188 mov eax, dword ptr fs:[00000030h] 5_2_0196C188
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0196C188 mov eax, dword ptr fs:[00000030h] 5_2_0196C188
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0192E1D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0192E1D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E1D0 mov ecx, dword ptr fs:[00000030h] 5_2_0192E1D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0192E1D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0192E1D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019761C3 mov eax, dword ptr fs:[00000030h] 5_2_019761C3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019761C3 mov eax, dword ptr fs:[00000030h] 5_2_019761C3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E01F8 mov eax, dword ptr fs:[00000030h] 5_2_018E01F8
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019861E5 mov eax, dword ptr fs:[00000030h] 5_2_019861E5
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01970115 mov eax, dword ptr fs:[00000030h] 5_2_01970115
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195A118 mov ecx, dword ptr fs:[00000030h] 5_2_0195A118
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195A118 mov eax, dword ptr fs:[00000030h] 5_2_0195A118
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195A118 mov eax, dword ptr fs:[00000030h] 5_2_0195A118
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195A118 mov eax, dword ptr fs:[00000030h] 5_2_0195A118
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov eax, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov ecx, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov eax, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov eax, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov ecx, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov eax, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov eax, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov ecx, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov eax, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E10E mov ecx, dword ptr fs:[00000030h] 5_2_0195E10E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E0124 mov eax, dword ptr fs:[00000030h] 5_2_018E0124
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01948158 mov eax, dword ptr fs:[00000030h] 5_2_01948158
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01944144 mov eax, dword ptr fs:[00000030h] 5_2_01944144
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01944144 mov eax, dword ptr fs:[00000030h] 5_2_01944144
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01944144 mov ecx, dword ptr fs:[00000030h] 5_2_01944144
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01944144 mov eax, dword ptr fs:[00000030h] 5_2_01944144
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01944144 mov eax, dword ptr fs:[00000030h] 5_2_01944144
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AC156 mov eax, dword ptr fs:[00000030h] 5_2_018AC156
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6154 mov eax, dword ptr fs:[00000030h] 5_2_018B6154
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6154 mov eax, dword ptr fs:[00000030h] 5_2_018B6154
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B208A mov eax, dword ptr fs:[00000030h] 5_2_018B208A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019760B8 mov eax, dword ptr fs:[00000030h] 5_2_019760B8
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019760B8 mov ecx, dword ptr fs:[00000030h] 5_2_019760B8
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019480A8 mov eax, dword ptr fs:[00000030h] 5_2_019480A8
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019320DE mov eax, dword ptr fs:[00000030h] 5_2_019320DE
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B80E9 mov eax, dword ptr fs:[00000030h] 5_2_018B80E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AA0E3 mov ecx, dword ptr fs:[00000030h] 5_2_018AA0E3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019360E0 mov eax, dword ptr fs:[00000030h] 5_2_019360E0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AC0F0 mov eax, dword ptr fs:[00000030h] 5_2_018AC0F0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F20F0 mov ecx, dword ptr fs:[00000030h] 5_2_018F20F0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01934000 mov ecx, dword ptr fs:[00000030h] 5_2_01934000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 mov eax, dword ptr fs:[00000030h] 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 mov eax, dword ptr fs:[00000030h] 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 mov eax, dword ptr fs:[00000030h] 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 mov eax, dword ptr fs:[00000030h] 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 mov eax, dword ptr fs:[00000030h] 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 mov eax, dword ptr fs:[00000030h] 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 mov eax, dword ptr fs:[00000030h] 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01952000 mov eax, dword ptr fs:[00000030h] 5_2_01952000
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE016 mov eax, dword ptr fs:[00000030h] 5_2_018CE016
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE016 mov eax, dword ptr fs:[00000030h] 5_2_018CE016
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE016 mov eax, dword ptr fs:[00000030h] 5_2_018CE016
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE016 mov eax, dword ptr fs:[00000030h] 5_2_018CE016
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01946030 mov eax, dword ptr fs:[00000030h] 5_2_01946030
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AA020 mov eax, dword ptr fs:[00000030h] 5_2_018AA020
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AC020 mov eax, dword ptr fs:[00000030h] 5_2_018AC020
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01936050 mov eax, dword ptr fs:[00000030h] 5_2_01936050
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B2050 mov eax, dword ptr fs:[00000030h] 5_2_018B2050
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DC073 mov eax, dword ptr fs:[00000030h] 5_2_018DC073
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AE388 mov eax, dword ptr fs:[00000030h] 5_2_018AE388
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AE388 mov eax, dword ptr fs:[00000030h] 5_2_018AE388
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AE388 mov eax, dword ptr fs:[00000030h] 5_2_018AE388
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D438F mov eax, dword ptr fs:[00000030h] 5_2_018D438F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D438F mov eax, dword ptr fs:[00000030h] 5_2_018D438F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A8397 mov eax, dword ptr fs:[00000030h] 5_2_018A8397
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A8397 mov eax, dword ptr fs:[00000030h] 5_2_018A8397
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A8397 mov eax, dword ptr fs:[00000030h] 5_2_018A8397
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019543D4 mov eax, dword ptr fs:[00000030h] 5_2_019543D4
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019543D4 mov eax, dword ptr fs:[00000030h] 5_2_019543D4
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018BA3C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018BA3C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018BA3C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018BA3C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018BA3C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_018BA3C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B83C0 mov eax, dword ptr fs:[00000030h] 5_2_018B83C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B83C0 mov eax, dword ptr fs:[00000030h] 5_2_018B83C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B83C0 mov eax, dword ptr fs:[00000030h] 5_2_018B83C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B83C0 mov eax, dword ptr fs:[00000030h] 5_2_018B83C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E3DB mov eax, dword ptr fs:[00000030h] 5_2_0195E3DB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E3DB mov eax, dword ptr fs:[00000030h] 5_2_0195E3DB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E3DB mov ecx, dword ptr fs:[00000030h] 5_2_0195E3DB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195E3DB mov eax, dword ptr fs:[00000030h] 5_2_0195E3DB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019363C0 mov eax, dword ptr fs:[00000030h] 5_2_019363C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0196C3CD mov eax, dword ptr fs:[00000030h] 5_2_0196C3CD
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C03E9 mov eax, dword ptr fs:[00000030h] 5_2_018C03E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C03E9 mov eax, dword ptr fs:[00000030h] 5_2_018C03E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C03E9 mov eax, dword ptr fs:[00000030h] 5_2_018C03E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C03E9 mov eax, dword ptr fs:[00000030h] 5_2_018C03E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C03E9 mov eax, dword ptr fs:[00000030h] 5_2_018C03E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C03E9 mov eax, dword ptr fs:[00000030h] 5_2_018C03E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C03E9 mov eax, dword ptr fs:[00000030h] 5_2_018C03E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C03E9 mov eax, dword ptr fs:[00000030h] 5_2_018C03E9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E63FF mov eax, dword ptr fs:[00000030h] 5_2_018E63FF
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE3F0 mov eax, dword ptr fs:[00000030h] 5_2_018CE3F0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE3F0 mov eax, dword ptr fs:[00000030h] 5_2_018CE3F0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE3F0 mov eax, dword ptr fs:[00000030h] 5_2_018CE3F0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA30B mov eax, dword ptr fs:[00000030h] 5_2_018EA30B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA30B mov eax, dword ptr fs:[00000030h] 5_2_018EA30B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA30B mov eax, dword ptr fs:[00000030h] 5_2_018EA30B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AC310 mov ecx, dword ptr fs:[00000030h] 5_2_018AC310
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D0310 mov ecx, dword ptr fs:[00000030h] 5_2_018D0310
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197A352 mov eax, dword ptr fs:[00000030h] 5_2_0197A352
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01958350 mov ecx, dword ptr fs:[00000030h] 5_2_01958350
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193035C mov eax, dword ptr fs:[00000030h] 5_2_0193035C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193035C mov eax, dword ptr fs:[00000030h] 5_2_0193035C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193035C mov eax, dword ptr fs:[00000030h] 5_2_0193035C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193035C mov ecx, dword ptr fs:[00000030h] 5_2_0193035C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193035C mov eax, dword ptr fs:[00000030h] 5_2_0193035C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193035C mov eax, dword ptr fs:[00000030h] 5_2_0193035C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01932349 mov eax, dword ptr fs:[00000030h] 5_2_01932349
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195437C mov eax, dword ptr fs:[00000030h] 5_2_0195437C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE284 mov eax, dword ptr fs:[00000030h] 5_2_018EE284
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE284 mov eax, dword ptr fs:[00000030h] 5_2_018EE284
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01930283 mov eax, dword ptr fs:[00000030h] 5_2_01930283
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01930283 mov eax, dword ptr fs:[00000030h] 5_2_01930283
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01930283 mov eax, dword ptr fs:[00000030h] 5_2_01930283
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019462A0 mov eax, dword ptr fs:[00000030h] 5_2_019462A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019462A0 mov ecx, dword ptr fs:[00000030h] 5_2_019462A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019462A0 mov eax, dword ptr fs:[00000030h] 5_2_019462A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019462A0 mov eax, dword ptr fs:[00000030h] 5_2_019462A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019462A0 mov eax, dword ptr fs:[00000030h] 5_2_019462A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019462A0 mov eax, dword ptr fs:[00000030h] 5_2_019462A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018BA2C3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018BA2C3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018BA2C3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018BA2C3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_018BA2C3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C02E1 mov eax, dword ptr fs:[00000030h] 5_2_018C02E1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C02E1 mov eax, dword ptr fs:[00000030h] 5_2_018C02E1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C02E1 mov eax, dword ptr fs:[00000030h] 5_2_018C02E1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A823B mov eax, dword ptr fs:[00000030h] 5_2_018A823B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01938243 mov eax, dword ptr fs:[00000030h] 5_2_01938243
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01938243 mov ecx, dword ptr fs:[00000030h] 5_2_01938243
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6259 mov eax, dword ptr fs:[00000030h] 5_2_018B6259
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AA250 mov eax, dword ptr fs:[00000030h] 5_2_018AA250
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A826B mov eax, dword ptr fs:[00000030h] 5_2_018A826B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01960274 mov eax, dword ptr fs:[00000030h] 5_2_01960274
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B4260 mov eax, dword ptr fs:[00000030h] 5_2_018B4260
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B4260 mov eax, dword ptr fs:[00000030h] 5_2_018B4260
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B4260 mov eax, dword ptr fs:[00000030h] 5_2_018B4260
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E4588 mov eax, dword ptr fs:[00000030h] 5_2_018E4588
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B2582 mov eax, dword ptr fs:[00000030h] 5_2_018B2582
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B2582 mov ecx, dword ptr fs:[00000030h] 5_2_018B2582
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE59C mov eax, dword ptr fs:[00000030h] 5_2_018EE59C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019305A7 mov eax, dword ptr fs:[00000030h] 5_2_019305A7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019305A7 mov eax, dword ptr fs:[00000030h] 5_2_019305A7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019305A7 mov eax, dword ptr fs:[00000030h] 5_2_019305A7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D45B1 mov eax, dword ptr fs:[00000030h] 5_2_018D45B1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D45B1 mov eax, dword ptr fs:[00000030h] 5_2_018D45B1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE5CF mov eax, dword ptr fs:[00000030h] 5_2_018EE5CF
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE5CF mov eax, dword ptr fs:[00000030h] 5_2_018EE5CF
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B65D0 mov eax, dword ptr fs:[00000030h] 5_2_018B65D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA5D0 mov eax, dword ptr fs:[00000030h] 5_2_018EA5D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA5D0 mov eax, dword ptr fs:[00000030h] 5_2_018EA5D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EC5ED mov eax, dword ptr fs:[00000030h] 5_2_018EC5ED
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EC5ED mov eax, dword ptr fs:[00000030h] 5_2_018EC5ED
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018DE5E7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018DE5E7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018DE5E7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018DE5E7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018DE5E7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018DE5E7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018DE5E7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_018DE5E7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B25E0 mov eax, dword ptr fs:[00000030h] 5_2_018B25E0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01946500 mov eax, dword ptr fs:[00000030h] 5_2_01946500
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984500 mov eax, dword ptr fs:[00000030h] 5_2_01984500
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984500 mov eax, dword ptr fs:[00000030h] 5_2_01984500
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984500 mov eax, dword ptr fs:[00000030h] 5_2_01984500
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984500 mov eax, dword ptr fs:[00000030h] 5_2_01984500
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984500 mov eax, dword ptr fs:[00000030h] 5_2_01984500
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984500 mov eax, dword ptr fs:[00000030h] 5_2_01984500
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984500 mov eax, dword ptr fs:[00000030h] 5_2_01984500
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE53E mov eax, dword ptr fs:[00000030h] 5_2_018DE53E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE53E mov eax, dword ptr fs:[00000030h] 5_2_018DE53E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE53E mov eax, dword ptr fs:[00000030h] 5_2_018DE53E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE53E mov eax, dword ptr fs:[00000030h] 5_2_018DE53E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE53E mov eax, dword ptr fs:[00000030h] 5_2_018DE53E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0535 mov eax, dword ptr fs:[00000030h] 5_2_018C0535
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0535 mov eax, dword ptr fs:[00000030h] 5_2_018C0535
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0535 mov eax, dword ptr fs:[00000030h] 5_2_018C0535
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0535 mov eax, dword ptr fs:[00000030h] 5_2_018C0535
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0535 mov eax, dword ptr fs:[00000030h] 5_2_018C0535
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0535 mov eax, dword ptr fs:[00000030h] 5_2_018C0535
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B8550 mov eax, dword ptr fs:[00000030h] 5_2_018B8550
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B8550 mov eax, dword ptr fs:[00000030h] 5_2_018B8550
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E656A mov eax, dword ptr fs:[00000030h] 5_2_018E656A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E656A mov eax, dword ptr fs:[00000030h] 5_2_018E656A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E656A mov eax, dword ptr fs:[00000030h] 5_2_018E656A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B64AB mov eax, dword ptr fs:[00000030h] 5_2_018B64AB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193A4B0 mov eax, dword ptr fs:[00000030h] 5_2_0193A4B0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E44B0 mov ecx, dword ptr fs:[00000030h] 5_2_018E44B0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B04E5 mov ecx, dword ptr fs:[00000030h] 5_2_018B04E5
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E8402 mov eax, dword ptr fs:[00000030h] 5_2_018E8402
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E8402 mov eax, dword ptr fs:[00000030h] 5_2_018E8402
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E8402 mov eax, dword ptr fs:[00000030h] 5_2_018E8402
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AE420 mov eax, dword ptr fs:[00000030h] 5_2_018AE420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AE420 mov eax, dword ptr fs:[00000030h] 5_2_018AE420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AE420 mov eax, dword ptr fs:[00000030h] 5_2_018AE420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018AC427 mov eax, dword ptr fs:[00000030h] 5_2_018AC427
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01936420 mov eax, dword ptr fs:[00000030h] 5_2_01936420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01936420 mov eax, dword ptr fs:[00000030h] 5_2_01936420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01936420 mov eax, dword ptr fs:[00000030h] 5_2_01936420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01936420 mov eax, dword ptr fs:[00000030h] 5_2_01936420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01936420 mov eax, dword ptr fs:[00000030h] 5_2_01936420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01936420 mov eax, dword ptr fs:[00000030h] 5_2_01936420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01936420 mov eax, dword ptr fs:[00000030h] 5_2_01936420
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA430 mov eax, dword ptr fs:[00000030h] 5_2_018EA430
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE443 mov eax, dword ptr fs:[00000030h] 5_2_018EE443
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE443 mov eax, dword ptr fs:[00000030h] 5_2_018EE443
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE443 mov eax, dword ptr fs:[00000030h] 5_2_018EE443
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE443 mov eax, dword ptr fs:[00000030h] 5_2_018EE443
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE443 mov eax, dword ptr fs:[00000030h] 5_2_018EE443
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE443 mov eax, dword ptr fs:[00000030h] 5_2_018EE443
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE443 mov eax, dword ptr fs:[00000030h] 5_2_018EE443
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EE443 mov eax, dword ptr fs:[00000030h] 5_2_018EE443
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A645D mov eax, dword ptr fs:[00000030h] 5_2_018A645D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D245A mov eax, dword ptr fs:[00000030h] 5_2_018D245A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193C460 mov ecx, dword ptr fs:[00000030h] 5_2_0193C460
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DA470 mov eax, dword ptr fs:[00000030h] 5_2_018DA470
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DA470 mov eax, dword ptr fs:[00000030h] 5_2_018DA470
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DA470 mov eax, dword ptr fs:[00000030h] 5_2_018DA470
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195678E mov eax, dword ptr fs:[00000030h] 5_2_0195678E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B07AF mov eax, dword ptr fs:[00000030h] 5_2_018B07AF
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019647A0 mov eax, dword ptr fs:[00000030h] 5_2_019647A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BC7C0 mov eax, dword ptr fs:[00000030h] 5_2_018BC7C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019307C3 mov eax, dword ptr fs:[00000030h] 5_2_019307C3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D27ED mov eax, dword ptr fs:[00000030h] 5_2_018D27ED
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D27ED mov eax, dword ptr fs:[00000030h] 5_2_018D27ED
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D27ED mov eax, dword ptr fs:[00000030h] 5_2_018D27ED
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B47FB mov eax, dword ptr fs:[00000030h] 5_2_018B47FB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B47FB mov eax, dword ptr fs:[00000030h] 5_2_018B47FB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193E7E1 mov eax, dword ptr fs:[00000030h] 5_2_0193E7E1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EC700 mov eax, dword ptr fs:[00000030h] 5_2_018EC700
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0710 mov eax, dword ptr fs:[00000030h] 5_2_018B0710
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E0710 mov eax, dword ptr fs:[00000030h] 5_2_018E0710
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192C730 mov eax, dword ptr fs:[00000030h] 5_2_0192C730
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EC720 mov eax, dword ptr fs:[00000030h] 5_2_018EC720
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EC720 mov eax, dword ptr fs:[00000030h] 5_2_018EC720
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E273C mov eax, dword ptr fs:[00000030h] 5_2_018E273C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E273C mov ecx, dword ptr fs:[00000030h] 5_2_018E273C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E273C mov eax, dword ptr fs:[00000030h] 5_2_018E273C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E674D mov esi, dword ptr fs:[00000030h] 5_2_018E674D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E674D mov eax, dword ptr fs:[00000030h] 5_2_018E674D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E674D mov eax, dword ptr fs:[00000030h] 5_2_018E674D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01934755 mov eax, dword ptr fs:[00000030h] 5_2_01934755
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193E75D mov eax, dword ptr fs:[00000030h] 5_2_0193E75D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0750 mov eax, dword ptr fs:[00000030h] 5_2_018B0750
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2750 mov eax, dword ptr fs:[00000030h] 5_2_018F2750
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2750 mov eax, dword ptr fs:[00000030h] 5_2_018F2750
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B8770 mov eax, dword ptr fs:[00000030h] 5_2_018B8770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0770 mov eax, dword ptr fs:[00000030h] 5_2_018C0770
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B4690 mov eax, dword ptr fs:[00000030h] 5_2_018B4690
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B4690 mov eax, dword ptr fs:[00000030h] 5_2_018B4690
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EC6A6 mov eax, dword ptr fs:[00000030h] 5_2_018EC6A6
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E66B0 mov eax, dword ptr fs:[00000030h] 5_2_018E66B0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA6C7 mov ebx, dword ptr fs:[00000030h] 5_2_018EA6C7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA6C7 mov eax, dword ptr fs:[00000030h] 5_2_018EA6C7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0192E6F2
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0192E6F2
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0192E6F2
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0192E6F2
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019306F1 mov eax, dword ptr fs:[00000030h] 5_2_019306F1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019306F1 mov eax, dword ptr fs:[00000030h] 5_2_019306F1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C260B mov eax, dword ptr fs:[00000030h] 5_2_018C260B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C260B mov eax, dword ptr fs:[00000030h] 5_2_018C260B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C260B mov eax, dword ptr fs:[00000030h] 5_2_018C260B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C260B mov eax, dword ptr fs:[00000030h] 5_2_018C260B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C260B mov eax, dword ptr fs:[00000030h] 5_2_018C260B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C260B mov eax, dword ptr fs:[00000030h] 5_2_018C260B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C260B mov eax, dword ptr fs:[00000030h] 5_2_018C260B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F2619 mov eax, dword ptr fs:[00000030h] 5_2_018F2619
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E609 mov eax, dword ptr fs:[00000030h] 5_2_0192E609
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B262C mov eax, dword ptr fs:[00000030h] 5_2_018B262C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CE627 mov eax, dword ptr fs:[00000030h] 5_2_018CE627
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E6620 mov eax, dword ptr fs:[00000030h] 5_2_018E6620
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E8620 mov eax, dword ptr fs:[00000030h] 5_2_018E8620
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018CC640 mov eax, dword ptr fs:[00000030h] 5_2_018CC640
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA660 mov eax, dword ptr fs:[00000030h] 5_2_018EA660
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA660 mov eax, dword ptr fs:[00000030h] 5_2_018EA660
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197866E mov eax, dword ptr fs:[00000030h] 5_2_0197866E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197866E mov eax, dword ptr fs:[00000030h] 5_2_0197866E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E2674 mov eax, dword ptr fs:[00000030h] 5_2_018E2674
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019389B3 mov esi, dword ptr fs:[00000030h] 5_2_019389B3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019389B3 mov eax, dword ptr fs:[00000030h] 5_2_019389B3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019389B3 mov eax, dword ptr fs:[00000030h] 5_2_019389B3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B09AD mov eax, dword ptr fs:[00000030h] 5_2_018B09AD
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B09AD mov eax, dword ptr fs:[00000030h] 5_2_018B09AD
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C29A0 mov eax, dword ptr fs:[00000030h] 5_2_018C29A0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197A9D3 mov eax, dword ptr fs:[00000030h] 5_2_0197A9D3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_019469C0 mov eax, dword ptr fs:[00000030h] 5_2_019469C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_018BA9D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_018BA9D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_018BA9D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_018BA9D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_018BA9D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_018BA9D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E49D0 mov eax, dword ptr fs:[00000030h] 5_2_018E49D0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193E9E0 mov eax, dword ptr fs:[00000030h] 5_2_0193E9E0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E29F9 mov eax, dword ptr fs:[00000030h] 5_2_018E29F9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E29F9 mov eax, dword ptr fs:[00000030h] 5_2_018E29F9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193C912 mov eax, dword ptr fs:[00000030h] 5_2_0193C912
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A8918 mov eax, dword ptr fs:[00000030h] 5_2_018A8918
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018A8918 mov eax, dword ptr fs:[00000030h] 5_2_018A8918
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E908 mov eax, dword ptr fs:[00000030h] 5_2_0192E908
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192E908 mov eax, dword ptr fs:[00000030h] 5_2_0192E908
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193892A mov eax, dword ptr fs:[00000030h] 5_2_0193892A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0194892B mov eax, dword ptr fs:[00000030h] 5_2_0194892B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01930946 mov eax, dword ptr fs:[00000030h] 5_2_01930946
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F096E mov eax, dword ptr fs:[00000030h] 5_2_018F096E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F096E mov edx, dword ptr fs:[00000030h] 5_2_018F096E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018F096E mov eax, dword ptr fs:[00000030h] 5_2_018F096E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01954978 mov eax, dword ptr fs:[00000030h] 5_2_01954978
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01954978 mov eax, dword ptr fs:[00000030h] 5_2_01954978
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D6962 mov eax, dword ptr fs:[00000030h] 5_2_018D6962
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D6962 mov eax, dword ptr fs:[00000030h] 5_2_018D6962
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D6962 mov eax, dword ptr fs:[00000030h] 5_2_018D6962
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193C97C mov eax, dword ptr fs:[00000030h] 5_2_0193C97C
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0887 mov eax, dword ptr fs:[00000030h] 5_2_018B0887
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193C89D mov eax, dword ptr fs:[00000030h] 5_2_0193C89D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DE8C0 mov eax, dword ptr fs:[00000030h] 5_2_018DE8C0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197A8E4 mov eax, dword ptr fs:[00000030h] 5_2_0197A8E4
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EC8F9 mov eax, dword ptr fs:[00000030h] 5_2_018EC8F9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EC8F9 mov eax, dword ptr fs:[00000030h] 5_2_018EC8F9
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193C810 mov eax, dword ptr fs:[00000030h] 5_2_0193C810
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195483A mov eax, dword ptr fs:[00000030h] 5_2_0195483A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195483A mov eax, dword ptr fs:[00000030h] 5_2_0195483A
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D2835 mov eax, dword ptr fs:[00000030h] 5_2_018D2835
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D2835 mov eax, dword ptr fs:[00000030h] 5_2_018D2835
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D2835 mov eax, dword ptr fs:[00000030h] 5_2_018D2835
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D2835 mov ecx, dword ptr fs:[00000030h] 5_2_018D2835
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D2835 mov eax, dword ptr fs:[00000030h] 5_2_018D2835
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D2835 mov eax, dword ptr fs:[00000030h] 5_2_018D2835
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EA830 mov eax, dword ptr fs:[00000030h] 5_2_018EA830
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C2840 mov ecx, dword ptr fs:[00000030h] 5_2_018C2840
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B4859 mov eax, dword ptr fs:[00000030h] 5_2_018B4859
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B4859 mov eax, dword ptr fs:[00000030h] 5_2_018B4859
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E0854 mov eax, dword ptr fs:[00000030h] 5_2_018E0854
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193E872 mov eax, dword ptr fs:[00000030h] 5_2_0193E872
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193E872 mov eax, dword ptr fs:[00000030h] 5_2_0193E872
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01946870 mov eax, dword ptr fs:[00000030h] 5_2_01946870
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01946870 mov eax, dword ptr fs:[00000030h] 5_2_01946870
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01964BB0 mov eax, dword ptr fs:[00000030h] 5_2_01964BB0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01964BB0 mov eax, dword ptr fs:[00000030h] 5_2_01964BB0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0BBE mov eax, dword ptr fs:[00000030h] 5_2_018C0BBE
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0BBE mov eax, dword ptr fs:[00000030h] 5_2_018C0BBE
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195EBD0 mov eax, dword ptr fs:[00000030h] 5_2_0195EBD0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0BCD mov eax, dword ptr fs:[00000030h] 5_2_018B0BCD
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0BCD mov eax, dword ptr fs:[00000030h] 5_2_018B0BCD
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0BCD mov eax, dword ptr fs:[00000030h] 5_2_018B0BCD
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D0BCB mov eax, dword ptr fs:[00000030h] 5_2_018D0BCB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D0BCB mov eax, dword ptr fs:[00000030h] 5_2_018D0BCB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D0BCB mov eax, dword ptr fs:[00000030h] 5_2_018D0BCB
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193CBF0 mov eax, dword ptr fs:[00000030h] 5_2_0193CBF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DEBFC mov eax, dword ptr fs:[00000030h] 5_2_018DEBFC
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B8BF0 mov eax, dword ptr fs:[00000030h] 5_2_018B8BF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B8BF0 mov eax, dword ptr fs:[00000030h] 5_2_018B8BF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B8BF0 mov eax, dword ptr fs:[00000030h] 5_2_018B8BF0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192EB1D mov eax, dword ptr fs:[00000030h] 5_2_0192EB1D
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DEB20 mov eax, dword ptr fs:[00000030h] 5_2_018DEB20
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DEB20 mov eax, dword ptr fs:[00000030h] 5_2_018DEB20
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01978B28 mov eax, dword ptr fs:[00000030h] 5_2_01978B28
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01978B28 mov eax, dword ptr fs:[00000030h] 5_2_01978B28
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195EB50 mov eax, dword ptr fs:[00000030h] 5_2_0195EB50
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01946B40 mov eax, dword ptr fs:[00000030h] 5_2_01946B40
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01946B40 mov eax, dword ptr fs:[00000030h] 5_2_01946B40
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0197AB40 mov eax, dword ptr fs:[00000030h] 5_2_0197AB40
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01958B42 mov eax, dword ptr fs:[00000030h] 5_2_01958B42
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01964B4B mov eax, dword ptr fs:[00000030h] 5_2_01964B4B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01964B4B mov eax, dword ptr fs:[00000030h] 5_2_01964B4B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ACB7E mov eax, dword ptr fs:[00000030h] 5_2_018ACB7E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018BEA80 mov eax, dword ptr fs:[00000030h] 5_2_018BEA80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984A80 mov eax, dword ptr fs:[00000030h] 5_2_01984A80
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E8A90 mov edx, dword ptr fs:[00000030h] 5_2_018E8A90
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B8AA0 mov eax, dword ptr fs:[00000030h] 5_2_018B8AA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B8AA0 mov eax, dword ptr fs:[00000030h] 5_2_018B8AA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01906AA4 mov eax, dword ptr fs:[00000030h] 5_2_01906AA4
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B0AD0 mov eax, dword ptr fs:[00000030h] 5_2_018B0AD0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01906ACC mov eax, dword ptr fs:[00000030h] 5_2_01906ACC
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01906ACC mov eax, dword ptr fs:[00000030h] 5_2_01906ACC
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01906ACC mov eax, dword ptr fs:[00000030h] 5_2_01906ACC
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E4AD0 mov eax, dword ptr fs:[00000030h] 5_2_018E4AD0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E4AD0 mov eax, dword ptr fs:[00000030h] 5_2_018E4AD0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EAAEE mov eax, dword ptr fs:[00000030h] 5_2_018EAAEE
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018EAAEE mov eax, dword ptr fs:[00000030h] 5_2_018EAAEE
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0193CA11 mov eax, dword ptr fs:[00000030h] 5_2_0193CA11
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DEA2E mov eax, dword ptr fs:[00000030h] 5_2_018DEA2E
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ECA24 mov eax, dword ptr fs:[00000030h] 5_2_018ECA24
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ECA38 mov eax, dword ptr fs:[00000030h] 5_2_018ECA38
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D4A35 mov eax, dword ptr fs:[00000030h] 5_2_018D4A35
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D4A35 mov eax, dword ptr fs:[00000030h] 5_2_018D4A35
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0A5B mov eax, dword ptr fs:[00000030h] 5_2_018C0A5B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018C0A5B mov eax, dword ptr fs:[00000030h] 5_2_018C0A5B
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6A50 mov eax, dword ptr fs:[00000030h] 5_2_018B6A50
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6A50 mov eax, dword ptr fs:[00000030h] 5_2_018B6A50
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6A50 mov eax, dword ptr fs:[00000030h] 5_2_018B6A50
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6A50 mov eax, dword ptr fs:[00000030h] 5_2_018B6A50
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6A50 mov eax, dword ptr fs:[00000030h] 5_2_018B6A50
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6A50 mov eax, dword ptr fs:[00000030h] 5_2_018B6A50
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018B6A50 mov eax, dword ptr fs:[00000030h] 5_2_018B6A50
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192CA72 mov eax, dword ptr fs:[00000030h] 5_2_0192CA72
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0192CA72 mov eax, dword ptr fs:[00000030h] 5_2_0192CA72
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ECA6F mov eax, dword ptr fs:[00000030h] 5_2_018ECA6F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ECA6F mov eax, dword ptr fs:[00000030h] 5_2_018ECA6F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ECA6F mov eax, dword ptr fs:[00000030h] 5_2_018ECA6F
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_0195EA60 mov eax, dword ptr fs:[00000030h] 5_2_0195EA60
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018E6DA0 mov eax, dword ptr fs:[00000030h] 5_2_018E6DA0
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D8DBF mov eax, dword ptr fs:[00000030h] 5_2_018D8DBF
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018D8DBF mov eax, dword ptr fs:[00000030h] 5_2_018D8DBF
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01984DAD mov eax, dword ptr fs:[00000030h] 5_2_01984DAD
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01978DAE mov eax, dword ptr fs:[00000030h] 5_2_01978DAE
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01978DAE mov eax, dword ptr fs:[00000030h] 5_2_01978DAE
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ECDB1 mov ecx, dword ptr fs:[00000030h] 5_2_018ECDB1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ECDB1 mov eax, dword ptr fs:[00000030h] 5_2_018ECDB1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018ECDB1 mov eax, dword ptr fs:[00000030h] 5_2_018ECDB1
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01934DD7 mov eax, dword ptr fs:[00000030h] 5_2_01934DD7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_01934DD7 mov eax, dword ptr fs:[00000030h] 5_2_01934DD7
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DEDD3 mov eax, dword ptr fs:[00000030h] 5_2_018DEDD3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Code function: 5_2_018DEDD3 mov eax, dword ptr fs:[00000030h] 5_2_018DEDD3
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Memory written: C:\Users\user\Desktop\PO No. 0146850827805.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Process created: C:\Users\user\Desktop\PO No. 0146850827805.exe "C:\Users\user\Desktop\PO No. 0146850827805.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Queries volume information: C:\Users\user\Desktop\PO No. 0146850827805.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO No. 0146850827805.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.PO No. 0146850827805.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PO No. 0146850827805.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2310694962.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2310984519.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.PO No. 0146850827805.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PO No. 0146850827805.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2310694962.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2310984519.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545930 Sample: PO No. 0146850827805.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 80 15 tse1.mm.bing.net 2->15 17 ax-0001.ax-msedge.net 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected FormBook 2->21 23 Yara detected AntiVM3 2->23 25 3 other signatures 2->25 7 PO No. 0146850827805.exe 3 2->7         started        signatures3 process4 file5 13 C:\Users\...\PO No. 0146850827805.exe.log, ASCII 7->13 dropped 27 Injects a PE file into a foreign processes 7->27 11 PO No. 0146850827805.exe 7->11         started        signatures6 process7
No contacted IP infos

Contacted Domains

Name IP Active
ax-0001.ax-msedge.net 150.171.27.10 true
tse1.mm.bing.net unknown unknown